##Our Add-on is having some issues authenticating certain API endpoints via Oauth, but can do it via Basic-Auth.
What are we doing wrong here?
We currently have these scopes in our (currently) private listing… (full listing provided below)
"scopes": [
"admin",
"act_as_user"
],
Our Add-on is having some issues authenticating certain API endpoints via Oauth, but can do it via Basic-Auth. We have full scope access in our Add On so we are not sure why the following apis only work with Basic-Auth and not OAuth:
- /rest/api/2/group/user
- /rest/auth/1/session
The error message is as follows:
{
"error": "Add-on 'bettercloud' blocked from impersonating the user because the access token does not have the required scope(s)"
}
We also do not have access to the following experimental APIs via Oauth, but can do it via Basic-Auth:
POST /rest/api/2/user
PUT /rest/api/2/user
DELETE /rest/api/2/user
The error message is as follows:
{
"error": "Add-on 'bettercloud' blocked from impersonating the user because the access token does not have the required scope(s)"
}
##Here’s our full listing…
Below is our add-on descriptor. It’s a private add-on not yet available in the marketplace.
{
"key": "bettercloud",
"name": "BetterCloud for Jira",
"baseUrl": "https://x-holding.devbettercloud.com",
"descriptor": "This is a test application for development purposes. If you're not developing it, you should uninstall this from your Atlassian instance",
"lifecycle": {
"installed": "/credential/atlassian/v1/installed",
"uninstalled": "/credential/atlassian/v1/uninstalled",
"enabled": "/credential/atlassian/v1/enabled",
"disabled": "/credential/atlassian/v1/disabled"
},
"authentication": {
"type": "jwt"
},
"enableLicensing": false,
"scopes": [
"admin",
"act_as_user"
],
"modules": {
"webItems": [
{
"url": "/credential/atlassian/v1/jira/panel",
"location": "system.top.navigation.bar",
"name": {
"value": "BetterCloud Jira Button"
},
"key": "bettercloud-jira-panel"
}
]
}
}
Sample OAuth token (with decoded version as well)
And a sample Oauth 2.0 access token from our application. (You’ll notice that both the ADMIN, and ACT_AS_USER scopes are included with this token)
eyJraWQiOiJvYXV0aC0yLWF1dGhvcml6YXRpb24tc2VydmVyXC9rZXkiLCJhbGciOiJSUzI1NiJ9.eyJzY3AiOlsiQURNSU4iLCJBQ1RfQVNfVVNFUiJdLCJzdWIiOiJhZG1pbiIsImF1ZCI6Imh0dHBzOlwvXC8wMDAwZmZjby5hdGxhc3NpYW4ubmV0IiwiYWN0Ijp7InN1YiI6ImV5Sm9iM04wUzJWNUlqb2lZVFkzWWpkbE1qa3ROVGczTXkwek56WmtMVGhtTVdJdE9ETTNPVFk1TVRZd1ltUTFJaXdpWVdSa2IyNUxaWGtpT2lKaVpYUjBaWEpqYkc5MVpDSjkifSwidXJuOmF0bGFzc2lhbjpjb2F0OnZlcnNpb24iOiIxLjAuMCIsImlzcyI6Im9hdXRoLTItYXV0aG9yaXphdGlvbi1zZXJ2ZXIiLCJ0eXAiOiJhdGxhc3NpYW4tY29hdCIsImV4cCI6MTQ5MjYzMDMyNSwiaWF0IjoxNDkyNjI5NDI1LCJqdGkiOiI3ZjQ0OWMzYS0zNDY3LTQ4ODMtYWEwOC1mMGRiZDg4NjkwOWMifQ.Zbg76Hr2E0ZXubFCmiriG9NRG15qvReeAeDZTgKUPeFESzAjMDomwQr8oNAfqurIrptwxlO8R6Mnpz6Ncx0dVEGiMsfmhoLPBuZYX87cF5Wh0XdAX_6E4C4PrpOSCEdJe0-50Utf27sfg3yYtLS96lRMLjCPlTApNUM_Qhtlv8F5iwoJSfznZPLv5bVVOEFxuNRylqemb-JflDABXmmLgQ3oHdB8GU2SrSbcjL7hPec73I5Isf0K2nQ0OHlhk31hdTxYkm3OldoXN9Yi0-n8bOMbWWw9x3tSVkeBeKsP_h-RHX1c5tonAKSXEtCWZJ_FLFLvXx9TRBQ203rZRygn4w
(and the decoded payload for it)
{
"scp": [
"ADMIN",
"ACT_AS_USER"
],
"sub": "admin",
"aud": "https://0000ffco.atlassian.net",
"act": {
"sub": "eyJob3N0S2V5IjoiYTY3YjdlMjktNTg3My0zNzZkLThmMWItODM3OTY5MTYwYmQ1IiwiYWRkb25LZXkiOiJiZXR0ZXJjbG91ZCJ9"
},
"urn:atlassian:coat:version": "1.0.0",
"iss": "oauth-2-authorization-server",
"typ": "atlassian-coat",
"exp": 1492630325,
"iat": 1492629425,
"jti": "7f449c3a-3467-4883-aa08-f0dbd886909c"
}
Here are full examples of the request and response:
Get Permissions:
GET /rest/api/2/permissions HTTP/1.1
Host: 0000ffco.atlassian.net
Content-Type: application/json
Authorization: Bearer eyJraWQiOiJvYXV0aC0yLWF1dGhvcml6YXRpb24tc2VydmVyXC9rZXkiLCJhbGciOiJSUzI1NiJ9.eyJzY3AiOlsiQURNSU4iLCJBQ1RfQVNfVVNFUiJdLCJzdWIiOiJzdXBlcmFkbWluIiwiYXVkIjoiaHR0cHM6XC9cLzAwMDBmZmNvLmF0bGFzc2lhbi5uZXQiLCJhY3QiOnsic3ViIjoiZXlKb2IzTjBTMlY1SWpvaVlUWTNZamRsTWprdE5UZzNNeTB6Tnpaa0xUaG1NV0l0T0RNM09UWTVNVFl3WW1RMUlpd2lZV1JrYjI1TFpYa2lPaUppWlhSMFpYSmpiRzkxWkNKOSJ9LCJ1cm46YXRsYXNzaWFuOmNvYXQ6dmVyc2lvbiI6IjEuMC4wIiwiaXNzIjoib2F1dGgtMi1hdXRob3JpemF0aW9uLXNlcnZlciIsInR5cCI6ImF0bGFzc2lhbi1jb2F0IiwiZXhwIjoxNDkyNzA2NDUyLCJpYXQiOjE0OTI3MDU1NTIsImp0aSI6IjcyYjg2NzQwLTdhOWMtNDJkZC04YTE3LTNmZjVhM2EyYmE0ZSJ9.jXmYqo0PEsrOenLEIWKW8jY1yQTgZBGefJdRymdPHkL7RlsRL3vq8cAFG5tsVeglqEyo5aMKVl46r4uY3X5B8FdQ--WjEyt_fNej6T7z4CEi9APjcz8RUxigRxR9ySOsLqCOJli6uVVgZMZnyF6a54BMnqcUoEIZ-NFcaXA8JI7EdpyH1KWgwGhu-TSJ2w5OIxqDHJRkhNzM4q73bY378h8x55zdiP--hnBU-aIElNvFk3MtIR4up4F5CsEPAQhwOMQmSh5IZq1ItwakL1nmjw2T1AXZ_CY0Pzhv882MZIIms6x2vqA5SP9V4xkApgpOvTz2NNwRlazWeITmDtcl5g
Cache-Control: no-cache
Postman-Token: 98c03f49-cb9f-7b62-95c4-b1e2084509d1
Response: {
"error": "Add-on 'bettercloud' blocked from impersonating the user because the access token does not have the required scope(s)"
}
Status: 403 Forbidden
Get Property:
GET /rest/api/2/userProperties HTTP/1.1
Host: 0000ffco.atlassian.net
Content-Type: application/json
Authorization: Bearer eyJraWQiOiJvYXV0aC0yLWF1dGhvcml6YXRpb24tc2VydmVyXC9rZXkiLCJhbGciOiJSUzI1NiJ9.eyJzY3AiOlsiQURNSU4iLCJBQ1RfQVNfVVNFUiJdLCJzdWIiOiJzdXBlcmFkbWluIiwiYXVkIjoiaHR0cHM6XC9cLzAwMDBmZmNvLmF0bGFzc2lhbi5uZXQiLCJhY3QiOnsic3ViIjoiZXlKb2IzTjBTMlY1SWpvaVlUWTNZamRsTWprdE5UZzNNeTB6Tnpaa0xUaG1NV0l0T0RNM09UWTVNVFl3WW1RMUlpd2lZV1JrYjI1TFpYa2lPaUppWlhSMFpYSmpiRzkxWkNKOSJ9LCJ1cm46YXRsYXNzaWFuOmNvYXQ6dmVyc2lvbiI6IjEuMC4wIiwiaXNzIjoib2F1dGgtMi1hdXRob3JpemF0aW9uLXNlcnZlciIsInR5cCI6ImF0bGFzc2lhbi1jb2F0IiwiZXhwIjoxNDkyNzA2NDUyLCJpYXQiOjE0OTI3MDU1NTIsImp0aSI6IjcyYjg2NzQwLTdhOWMtNDJkZC04YTE3LTNmZjVhM2EyYmE0ZSJ9.jXmYqo0PEsrOenLEIWKW8jY1yQTgZBGefJdRymdPHkL7RlsRL3vq8cAFG5tsVeglqEyo5aMKVl46r4uY3X5B8FdQ--WjEyt_fNej6T7z4CEi9APjcz8RUxigRxR9ySOsLqCOJli6uVVgZMZnyF6a54BMnqcUoEIZ-NFcaXA8JI7EdpyH1KWgwGhu-TSJ2w5OIxqDHJRkhNzM4q73bY378h8x55zdiP--hnBU-aIElNvFk3MtIR4up4F5CsEPAQhwOMQmSh5IZq1ItwakL1nmjw2T1AXZ_CY0Pzhv882MZIIms6x2vqA5SP9V4xkApgpOvTz2NNwRlazWeITmDtcl5g
Cache-Control: no-cache
Postman-Token: 7e8c6831-6c6d-6946-1914-1689b4371fff
Response: {
"error": "Add-on 'bettercloud' blocked from impersonating the user because the access token does not have the required scope(s)"
}
Status: 403 Forbidden