Oauth Authentication not working for some API endpoints (but do with Basic Auth)

##Our Add-on is having some issues authenticating certain API endpoints via Oauth, but can do it via Basic-Auth.

What are we doing wrong here?

We currently have these scopes in our (currently) private listing… (full listing provided below)

 "scopes": [
    "admin",
    "act_as_user"
  ],

Our Add-on is having some issues authenticating certain API endpoints via Oauth, but can do it via Basic-Auth. We have full scope access in our Add On so we are not sure why the following apis only work with Basic-Auth and not OAuth:

  • /rest/api/2/group/user
  • /rest/auth/1/session

The error message is as follows:

{
  "error": "Add-on 'bettercloud' blocked from impersonating the user because the access token does not have the required scope(s)"
}

We also do not have access to the following experimental APIs via Oauth, but can do it via Basic-Auth:
POST /rest/api/2/user
PUT /rest/api/2/user
DELETE /rest/api/2/user

The error message is as follows:

{
  "error": "Add-on 'bettercloud' blocked from impersonating the user because the access token does not have the required scope(s)"
}

##Here’s our full listing…

Below is our add-on descriptor. It’s a private add-on not yet available in the marketplace.

{
  "key": "bettercloud",
  "name": "BetterCloud for Jira",
  "baseUrl": "https://x-holding.devbettercloud.com",
  "descriptor": "This is a test application for development purposes. If you're not   developing it, you should uninstall this from your Atlassian instance",
  "lifecycle": {
    "installed": "/credential/atlassian/v1/installed",
    "uninstalled": "/credential/atlassian/v1/uninstalled",
    "enabled": "/credential/atlassian/v1/enabled",
    "disabled": "/credential/atlassian/v1/disabled"
  },
  "authentication": {
    "type": "jwt"
  },
  "enableLicensing": false,
  "scopes": [
    "admin",
    "act_as_user"
  ],
  "modules": {
    "webItems": [
      {
        "url": "/credential/atlassian/v1/jira/panel",
        "location": "system.top.navigation.bar",
        "name": {
          "value": "BetterCloud Jira Button"
        },
        "key": "bettercloud-jira-panel"
      }
    ]
  }
}

Sample OAuth token (with decoded version as well)

And a sample Oauth 2.0 access token from our application. (You’ll notice that both the ADMIN, and ACT_AS_USER scopes are included with this token)

eyJraWQiOiJvYXV0aC0yLWF1dGhvcml6YXRpb24tc2VydmVyXC9rZXkiLCJhbGciOiJSUzI1NiJ9.eyJzY3AiOlsiQURNSU4iLCJBQ1RfQVNfVVNFUiJdLCJzdWIiOiJhZG1pbiIsImF1ZCI6Imh0dHBzOlwvXC8wMDAwZmZjby5hdGxhc3NpYW4ubmV0IiwiYWN0Ijp7InN1YiI6ImV5Sm9iM04wUzJWNUlqb2lZVFkzWWpkbE1qa3ROVGczTXkwek56WmtMVGhtTVdJdE9ETTNPVFk1TVRZd1ltUTFJaXdpWVdSa2IyNUxaWGtpT2lKaVpYUjBaWEpqYkc5MVpDSjkifSwidXJuOmF0bGFzc2lhbjpjb2F0OnZlcnNpb24iOiIxLjAuMCIsImlzcyI6Im9hdXRoLTItYXV0aG9yaXphdGlvbi1zZXJ2ZXIiLCJ0eXAiOiJhdGxhc3NpYW4tY29hdCIsImV4cCI6MTQ5MjYzMDMyNSwiaWF0IjoxNDkyNjI5NDI1LCJqdGkiOiI3ZjQ0OWMzYS0zNDY3LTQ4ODMtYWEwOC1mMGRiZDg4NjkwOWMifQ.Zbg76Hr2E0ZXubFCmiriG9NRG15qvReeAeDZTgKUPeFESzAjMDomwQr8oNAfqurIrptwxlO8R6Mnpz6Ncx0dVEGiMsfmhoLPBuZYX87cF5Wh0XdAX_6E4C4PrpOSCEdJe0-50Utf27sfg3yYtLS96lRMLjCPlTApNUM_Qhtlv8F5iwoJSfznZPLv5bVVOEFxuNRylqemb-JflDABXmmLgQ3oHdB8GU2SrSbcjL7hPec73I5Isf0K2nQ0OHlhk31hdTxYkm3OldoXN9Yi0-n8bOMbWWw9x3tSVkeBeKsP_h-RHX1c5tonAKSXEtCWZJ_FLFLvXx9TRBQ203rZRygn4w

(and the decoded payload for it)

{
  "scp": [
    "ADMIN",
    "ACT_AS_USER"
  ],
  "sub": "admin",
  "aud": "https://0000ffco.atlassian.net",
  "act": {
    "sub": "eyJob3N0S2V5IjoiYTY3YjdlMjktNTg3My0zNzZkLThmMWItODM3OTY5MTYwYmQ1IiwiYWRkb25LZXkiOiJiZXR0ZXJjbG91ZCJ9"
  },
  "urn:atlassian:coat:version": "1.0.0",
  "iss": "oauth-2-authorization-server",
  "typ": "atlassian-coat",
  "exp": 1492630325,
  "iat": 1492629425,
  "jti": "7f449c3a-3467-4883-aa08-f0dbd886909c"
}

Here are full examples of the request and response:

Get Permissions:

GET /rest/api/2/permissions HTTP/1.1
Host: 0000ffco.atlassian.net
Content-Type: application/json
Authorization: Bearer eyJraWQiOiJvYXV0aC0yLWF1dGhvcml6YXRpb24tc2VydmVyXC9rZXkiLCJhbGciOiJSUzI1NiJ9.eyJzY3AiOlsiQURNSU4iLCJBQ1RfQVNfVVNFUiJdLCJzdWIiOiJzdXBlcmFkbWluIiwiYXVkIjoiaHR0cHM6XC9cLzAwMDBmZmNvLmF0bGFzc2lhbi5uZXQiLCJhY3QiOnsic3ViIjoiZXlKb2IzTjBTMlY1SWpvaVlUWTNZamRsTWprdE5UZzNNeTB6Tnpaa0xUaG1NV0l0T0RNM09UWTVNVFl3WW1RMUlpd2lZV1JrYjI1TFpYa2lPaUppWlhSMFpYSmpiRzkxWkNKOSJ9LCJ1cm46YXRsYXNzaWFuOmNvYXQ6dmVyc2lvbiI6IjEuMC4wIiwiaXNzIjoib2F1dGgtMi1hdXRob3JpemF0aW9uLXNlcnZlciIsInR5cCI6ImF0bGFzc2lhbi1jb2F0IiwiZXhwIjoxNDkyNzA2NDUyLCJpYXQiOjE0OTI3MDU1NTIsImp0aSI6IjcyYjg2NzQwLTdhOWMtNDJkZC04YTE3LTNmZjVhM2EyYmE0ZSJ9.jXmYqo0PEsrOenLEIWKW8jY1yQTgZBGefJdRymdPHkL7RlsRL3vq8cAFG5tsVeglqEyo5aMKVl46r4uY3X5B8FdQ--WjEyt_fNej6T7z4CEi9APjcz8RUxigRxR9ySOsLqCOJli6uVVgZMZnyF6a54BMnqcUoEIZ-NFcaXA8JI7EdpyH1KWgwGhu-TSJ2w5OIxqDHJRkhNzM4q73bY378h8x55zdiP--hnBU-aIElNvFk3MtIR4up4F5CsEPAQhwOMQmSh5IZq1ItwakL1nmjw2T1AXZ_CY0Pzhv882MZIIms6x2vqA5SP9V4xkApgpOvTz2NNwRlazWeITmDtcl5g
Cache-Control: no-cache
Postman-Token: 98c03f49-cb9f-7b62-95c4-b1e2084509d1

Response: {
  "error": "Add-on 'bettercloud' blocked from impersonating the user because the access token does not have the required scope(s)"
}
Status: 403 Forbidden

Get Property:

GET /rest/api/2/userProperties HTTP/1.1
Host: 0000ffco.atlassian.net
Content-Type: application/json
Authorization: Bearer eyJraWQiOiJvYXV0aC0yLWF1dGhvcml6YXRpb24tc2VydmVyXC9rZXkiLCJhbGciOiJSUzI1NiJ9.eyJzY3AiOlsiQURNSU4iLCJBQ1RfQVNfVVNFUiJdLCJzdWIiOiJzdXBlcmFkbWluIiwiYXVkIjoiaHR0cHM6XC9cLzAwMDBmZmNvLmF0bGFzc2lhbi5uZXQiLCJhY3QiOnsic3ViIjoiZXlKb2IzTjBTMlY1SWpvaVlUWTNZamRsTWprdE5UZzNNeTB6Tnpaa0xUaG1NV0l0T0RNM09UWTVNVFl3WW1RMUlpd2lZV1JrYjI1TFpYa2lPaUppWlhSMFpYSmpiRzkxWkNKOSJ9LCJ1cm46YXRsYXNzaWFuOmNvYXQ6dmVyc2lvbiI6IjEuMC4wIiwiaXNzIjoib2F1dGgtMi1hdXRob3JpemF0aW9uLXNlcnZlciIsInR5cCI6ImF0bGFzc2lhbi1jb2F0IiwiZXhwIjoxNDkyNzA2NDUyLCJpYXQiOjE0OTI3MDU1NTIsImp0aSI6IjcyYjg2NzQwLTdhOWMtNDJkZC04YTE3LTNmZjVhM2EyYmE0ZSJ9.jXmYqo0PEsrOenLEIWKW8jY1yQTgZBGefJdRymdPHkL7RlsRL3vq8cAFG5tsVeglqEyo5aMKVl46r4uY3X5B8FdQ--WjEyt_fNej6T7z4CEi9APjcz8RUxigRxR9ySOsLqCOJli6uVVgZMZnyF6a54BMnqcUoEIZ-NFcaXA8JI7EdpyH1KWgwGhu-TSJ2w5OIxqDHJRkhNzM4q73bY378h8x55zdiP--hnBU-aIElNvFk3MtIR4up4F5CsEPAQhwOMQmSh5IZq1ItwakL1nmjw2T1AXZ_CY0Pzhv882MZIIms6x2vqA5SP9V4xkApgpOvTz2NNwRlazWeITmDtcl5g
Cache-Control: no-cache
Postman-Token: 7e8c6831-6c6d-6946-1914-1689b4371fff

Response: {
  "error": "Add-on 'bettercloud' blocked from impersonating the user because the access token does not have the required scope(s)"
}
Status: 403 Forbidden
1 Like

REST API endpoints are whitelisted for Atlassian Connect. That includes both JWT and OAuth 2.0 for user impersonation. That means some documented endpoints, that work for Basic or OAuth 1.0, aren’t available for Connect add-ons. The definitive lists of whitelisted endpoints are documented here:

Specifically, you asked about /rest/api/2/group/user but I think you mean /rest/api/2/user. Note the docs indicate the GET method requires READ. So I don’t think ADMIN is the correct scope for what you want. As you have noticed, that user endpoint has NONE for POST, PUT, and DELETE, so that explains why you can’t use them with OAuth 2.0 either.

Hi Ian,

Gotcha, we’ll expand the scopes! We incorrectly thought there was a hierarchy to the scopes.

Thanks again.

@david.hardwick, sorry… One of our Sydney devs caught my error. The scopes do indeed have a hierarchy:
https://developer.atlassian.com/static/connect/docs/latest/scopes/scopes.html

If the scopes do solve the problem, let me know because that would clearly mean there’s a bug.

Hi Ian,

Understood. We are focusing on getting JWT authorization to work first for the JWT Only endpoints.

So far, we’ve been able to make a call with JWT, instead of OAuth, for a whitelisted OAuth endpoint as a first step. Now we need to get the “context” in there, we believe, so that we can get these non-whitelisted OAuth endpoints.

Thanks for the link on the scopes!

Best regards,
David

Hi David ,

Is the issue resolved ?
We face the same issue as well for accessing /rest/api/2/group/user end point .