Problems with accessing to groupuserpicker endpoint

MargaritaKravtsova · June 17, 2024, 6:20am

One of our clients reported a problem with application. The results of analysis showed, that accessing URL https://clients-address.atlassian.net/rest/api/3/groupuserpicker?query=""&maxResults=10&showAvatar=true&avatarSize=small&caseInsensitive=true&excludeConnectAddons=true from our app, some users (not every of them) getting 403 error with message “You are not authenticated. Authentication required to perform this operation.”

According to documentation user required to have “Browse users and groups” permission to access this endpoint.

Problem is that users who faced this issue have such permission. Moreover, they are able to go to that request from browser’s address bar and get results. What may cause such behavior?

dmorrow · June 17, 2024, 10:11am

Hi @MargaritaKravtsova ,

Can you you share what type of app / auth mechanism your application is using. Is it a connect app accessing from the front end or back end, a Forge app using asApp or asUser, a script using basic auth or a 3LO app?

Dugald

MargaritaKravtsova · June 17, 2024, 11:04am

Hi, @dmorrow ,

It is a connect app. It requests this URL on front end using Connect JavaScript API. Here is my code:

const usersData = await AP.request({
        type: "GET",
        dataType: "json",
        contentType: "application/json",
        url: `/rest/api/3/groupuserpicker?query=""&maxResults=${maxResultsPicker}&showAvatar=true&avatarSize=small&caseInsensitive=true&excludeConnectAddons=true`,
      })
        .then((data) => {
            return JSON.parse(data.body);
        }) 
        .catch((e) => {
          console.log(e);
          return {};
        });

If it might be useful, I can also add, that app makes this request from dialog, which opens by clicking a button placed on web panel atl.jira.view.issue.left.context.

dmorrow · June 17, 2024, 12:43pm

Thanks @MargaritaKravtsova ,

An API call from a Connect app using AP.request requires both the user to have permission to the API and the app to have the scope required by the API which in this case is READ. You’ve already indicated the user has permission since they can call the API directly in their browser, so the only thing I can think of is if the version of the app they are using doesn’t have the READ scope due to not being upgraded in their workspace. If you don’t believe this to be the case, then you may have to raise a support case to investigate this further.

Dugald