Issues specifying a dot (.) in the "scope=" URL parameter string

Atlassian Developer Tools
, , , ,
1

The app registration says I should submit the following:

https://auth.atlassian.com/authorize?
audience=api.atlassian.com
&client_id=${YOUR_CLIENT_ID}
&scope=read%3Ajira-work%20read%3Ajira-user%20write%3Ajira-work
&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Foidc-callback
&state=${YOUR_USER_BOUND_VALUE}
&response_type=code
&prompt=consent

The OIDC library uses javascript’s URL library to URLEncode the scope:

scope='read.jira-work read.jira-user write.jira-work';
const parsedUrl = new URL(url);
parsedUrl.searchParams.append("scope", scope);

The request outputs the following:

https://auth.atlassian.com/authorize?
audience=api.atlassian.com
&client_id=${YOUR_CLIENT_ID}
&scope=read.jira-work+read.jira-user+write.jira-work
&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Foidc-callback
&state=fc85c8006c9249f3b9a4767403320ed4
&response_type=code
&prompt=consent
&code_challenge=${SOME_CHALLENGE}
&code_challenge_method=S256
&response_mode=query

The resulting redirect JWT seems to no translate the scope= in the redirect to the consent screen. If I manually replace the (.) with %3A ( and leave the + to replace the spaces), then the consent screen appears. The Challenge and reponse mode don’t seem to matter whether they are there or not, it really is a problem with auth.atlassian.com not reading the URLEncoded scope string with a (.) in it.

The JWT that is sent to the consent endpoint(api.atlassian.com/oauth2/authorize/server/consent?context=)

{
  "nbf": 1717518930,
  "iss": "auth.atlassian.com",
  "iat": 1717518930,
  "exp": 1717522530,
  "aud": "api.atlassian.com",
  "user_id": "${YOUR_USER_ID}",
  "redirect_uri": "/authorize?client_id=${YOUR_CLIENT_ID}&redirect_uri=http://localhost:3000/oidc-callback&response_type=code&state=478494ea55824be3a18a2e2d83b6ba0c&code_challenge=m-rXUpzzd-cFSIPc4UwuHPHBdgOhrkckHO9GkUXj1C8&code_challenge_method=S256&response_mode=query&prompt=consent&audience=api.atlassian.com&scope=&csrf_token=718d6bec-cf5c-4a98-91fc-76147cdc23ca",
  "client": {
    "client_id": "${YOUR_CLIENT_ID}
    "name": "Portal",
    "logo_uri": "https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/default-avatar.png"
  }
}

Notice the scope= from the above request doesn’t get translated (probably because the auth service logic can’t parse it with the dots(.) in the scope names)

Is there a bug on the auth service side that doesn’t process the (.) in the scope string as intended?

1 Like
3

Hi @PatrickEthier ,

Could you provide a sample reproducible application that uses the OIDC library? This would help us reproduce this issue locally and troubleshoot it further.

Are you also seeing an error when you use: in the scope? Or is the issue only faced with the scope that uses dot(.)? If not with the clone, you can use read:jira-work, write:jira-work, and read:jira-user as mentioned in the document.

Best regards,
Deepak Pandey
Developer Support Engineer

4

You can use the urls from the developer tab and replace the %3A with dots and user the developer tab of your browser to see what is happening.

Dots don’t need to be urlescaped according to RFC.

The colon worked, but the dot thing is a bug, your oidc code is not rfc compliant.