JIRA - Forge - Authenticate user with Azure Entra ID

Hello everyone,

I am developing a Jira add-on using Forge, and as part of the project, I’ve implemented authentication with Azure Entra ID, which is functioning as expected.

import api, { route, fetch } from "@forge/api";

// ...

const azure = api.asUser().withProvider('azure', 'my-officedemo');

Using this setup, I can retrieve a token and pass it to my API. However, I am encountering an issue: I cannot access the roles assigned to my user, which are necessary for interacting with my API.

Could you advise on how to retrieve these roles?

Thanks you :slight_smile:

Hi @DamienVandeKerckhove. Welcome to the developer community.

Are you trying to fetch the current user’s Jira roles/groups? If so, you can make a call to the myself API method, along with an expand parameter.

Something like: (off the dome pseudo-code… haven’t tested, but you get the idea):

    const response = await api.asUser().requestJira(route`/rest/api/3/myself?expand=applicationRoles`, {
      headers: {
        'Accept': 'application/json'
      }
    });

    const userData = await response.json();

    const userRoles = userData.applicationRoles.items; 

    console.log('User roles:', userRoles);

Hi @nmansilla! Thank you for welcoming me! :blush:

I’m using OAuth 2.0 with Azure Entra ID, and the roles need to come from Entra ID rather than Jira. I was thinking of doing something similar by calling Microsoft Graph to retrieve user roles for a specific API https://graph.microsoft.com/v1.0/applications?$select=displayName,appId,appRoles&$filter=startswith(displayName,'App-Name') but the most secure approach would be to include roles in the access token itself, and I’m pretty sure it’s not possible to add these roles directly to the token.

I tried adding the “API scope” to the scopes array, but when I do so, I encounter an “invalid audience” error when calling:

await azure.requestCredentials(profileScopes);

Here’s the snippet I used:

const profileScopes = [
  'openid',
  'api://9acdac0e-*****fbeb/.default',
];

if (!await azure.hasCredentials(profileScopes)) {
  await azure.requestCredentials(profileScopes);
}

Alternatively, I could fetch the roles directly in my API using the user ID, but that doesn’t seem like the cleanest solution.

Hey @DamienVandeKerckhove. I’m not familiar with MS Graph API; however, with some cursory searching, I did find this endpoint:memberOf

https://graph.microsoft.com/v1.0/me/memberOf

That endpoint will return a list of groups that the user belongs to. Again, not familiar with MS Graph, but I imagine there’s linking between groups, directory roles, etc.