Hello everyone,
I am developing a Jira add-on using Forge, and as part of the project, I’ve implemented authentication with Azure Entra ID, which is functioning as expected.
import api, { route, fetch } from "@forge/api";
// ...
const azure = api.asUser().withProvider('azure', 'my-officedemo');
Using this setup, I can retrieve a token and pass it to my API. However, I am encountering an issue: I cannot access the roles assigned to my user, which are necessary for interacting with my API.
Could you advise on how to retrieve these roles?
Thanks you
Hi @DamienVandeKerckhove. Welcome to the developer community.
Are you trying to fetch the current user’s Jira roles/groups? If so, you can make a call to the myself API method, along with an expand
parameter.
Something like: (off the dome pseudo-code… haven’t tested, but you get the idea):
const response = await api.asUser().requestJira(route`/rest/api/3/myself?expand=applicationRoles`, {
headers: {
'Accept': 'application/json'
}
});
const userData = await response.json();
const userRoles = userData.applicationRoles.items;
console.log('User roles:', userRoles);
Hi @nmansilla! Thank you for welcoming me!
I’m using OAuth 2.0 with Azure Entra ID, and the roles need to come from Entra ID rather than Jira. I was thinking of doing something similar by calling Microsoft Graph to retrieve user roles for a specific API https://graph.microsoft.com/v1.0/applications?$select=displayName,appId,appRoles&$filter=startswith(displayName,'App-Name')
but the most secure approach would be to include roles in the access token itself, and I’m pretty sure it’s not possible to add these roles directly to the token.
I tried adding the “API scope” to the scopes
array, but when I do so, I encounter an “invalid audience” error when calling:
await azure.requestCredentials(profileScopes);
Here’s the snippet I used:
const profileScopes = [
'openid',
'api://9acdac0e-*****fbeb/.default',
];
if (!await azure.hasCredentials(profileScopes)) {
await azure.requestCredentials(profileScopes);
}
Alternatively, I could fetch the roles directly in my API using the user ID, but that doesn’t seem like the cleanest solution.
Hey @DamienVandeKerckhove. I’m not familiar with MS Graph API; however, with some cursory searching, I did find this endpoint:memberOf
https://graph.microsoft.com/v1.0/me/memberOf
That endpoint will return a list of groups that the user belongs to. Again, not familiar with MS Graph, but I imagine there’s linking between groups, directory roles, etc.