OAuth 2.0 Error in Jira APIs - 'Scope Does Not Match' with Certain Endpoints Lacking Available Scopes

snath · December 9, 2024, 6:42pm

DESCRIPTION:

During migration of external access to JSM using OAuth 2.0 authentication, as required to support JSM Forms, we have encountered two critical endpoints that are currently not working due to the following error, and it appears there is no available scope to make them work:

401 Unauthorized {“code”:401,“message”:“Unauthorized; scope does not match”}

Endpoint 1: Search for Organizations

We create JSM requests and enable users to associate them with specific organizations. To achieve this, we rely on the following endpoint, which allows searching for organizations within a specific project and service desk. However, this API is apparently unsupported for OAuth 2.0.

Endpoint:
GET /rest/servicedesk/{service_desk_id}/organisations/project/{jira_project_key}/search

This is a critical feature for us because creating JSM requests requires organization Ids, and we currently lack an alternative.

Endpoint 2: Jira Activity Stream

This endpoint is essential for retrieving the activity of related Jira issues to display in remote applications.

Endpoint:

GET /activity

Atlassian Ecosystem acknowledges this problem as unresolved: ECO-257(https://jira.atlassian.com/browse/ECO-257).

We would appreciate any further insights or alternative recommendations for bridging these gaps.

sunnyape · December 9, 2024, 6:59pm

Hello @snath

The JSM Cloud REST API documentation doesn’t describe any ‘Search for Organizations’ API endpoint with the path:

/rest/servicedesk/{service_desk_id}/organisations/project/{jira_project_key}/search

Can you please provide a link to the documentation you have been are referencing that describes its use and whether or not it supports OAuth.

As for the ancient Activity Streams feed endpoint that returns RSS style XML, it’s not a REST API endpoint that returns JSON, so it’s highly unlikely it will ever support OAuth. Keep watching the ECO-257 feature request to see if Atlassian will ever consider doing it.

snath · December 9, 2024, 10:52pm

@sunnyape
For the endpoint related to organizations, the URL is provided in the createMeta response for the project or issue type associated with the request being created. https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-issues/#api-rest-api-3-issue-createmeta-projectidorkey-issuetypes-issuetypeid-get

Example response for the “Organizations” field, note the “autoCompleteUrl” attribute:

“customfield_10002”: {
“required”: false,
“schema”: {
“type”: “array”,
“items”: “sd-customerorganization”,
“custom”: “com.atlassian.servicedesk:sd-customer-organizations”,
“customId”: 10002
},
“name”: “Organizations”,
“key”: “customfield_10002”,
“autoCompleteUrl”: “https://example.atlassian.net/rest/servicedesk/1/organisations/project/10000/search?query=”,
“operations”: [
“add”,
“set”,
“remove”
]
}

For the Jira Activity Stream, note that it is not a REST API service but an RSS-feed service available for consumption. https://developer.atlassian.com/server/framework/atlassian-sdk/consuming-an-activity-streams-feed/

sunnyape · December 9, 2024, 11:25pm

Since the autoCompleteURL path provided in that response is most likely for an API endpoint that is probably only for use within a user’s web browser session, and it is not documented as an officially supported public API endpoint for access outside that scenario, I can’t provide any further information about its functionality or its support for OAuth access.

Someone else here may know and can answer that.

Perhaps also search JAC to see if there is a related feature request that’s already been created.