Problems with Jira Cloud authentication on my Jira Cloud App


With PHP code below:

class JsonController extends Zend_Controller_Action
	public $EXPIRY_SECONDS = 60;
	public $GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
	public $SCOPES = "READ WRITE ACT_AS_USER"; // case-sensitive space-delimited as per the specification

# some code here

$appKey = $config->appkey;
		//echo $domain->customer->domain;
		$file = file_get_contents( $applicationPath .'/../customers/'.$customer['domain'].'/installed.txt');
		//echo $file;
		$phpNative = Zend_Json::decode($file);
		$secret = $phpNative['sharedSecret'];
		$clientKey = $phpNative['oauthClientId'];
		$iat = (integer) time();
		$exp = (integer) $iat + 60;
		//echo $iat;
		$token = array(
				"iss" => 'urn:atlassian:connect:clientid:'.$clientKey,
				"sub" => 'urn:atlassian:connect:useraccountid:'.$appKey,
				"tnt" => 'https://'.$customer['domain'],
				"aud" => $this->AUTHORIZATION_SERVER_URL,
				"iat" => $iat,
				"exp" => $exp
		try {
			$assertion = JWT::encode($token, $secret);
		} catch (ExpiredException $e) {
			echo $e->getMessage();
		$config = array(
				'adapter'   => 'Zend_Http_Client_Adapter_Curl',
				'curloptions' => array(CURLOPT_FOLLOWLOCATION => true),
		$uri = $this->AUTHORIZATION_SERVER_URL . '/oauth2/token';
		//echo $uri;
		$client = new Zend_Http_Client($uri, $config);
		// Setting several POST parameters, one of them with several values
				'scope' => $this->SCOPES,
				'assertion' => $assertion,
				'grant_type' => $this->GRANT_TYPE
		//$client->setParameterPost(array('grant_type' => rawurlencode('urn:ietf:params:oauth:grant-type:').'jwt-bearer&scope='.rawurlencode('READ WRITE').'&assertion='.$jwt));
		$response = $client->request();
		$body = $response->getBody();
		echo $body;

I successfully get JSON response below:


Bet when I try to use access token in further functions I get only this:

{"error": "Add-on 'fi.i4ware.plugin.timesheet.tfj' disallowed to impersonate the user because 'no valid active user exists'"}

I just try to things with this documentation but with no 100 % success:

What to do?

Hi @matti.kiviharju,

"sub" => 'urn:atlassian:connect:useraccountid:'.$appKey,

Instead of $appKey that should be the accountId of the user.

On another note, you need to replace the authorization server hostname with

The deprecation notice from July 2020 is here.

Ok, thanks.

How do I get user’s account id? I need a logged in user’s account id because I want make feature for my Timesheet App to see who is logged work hours and how is not on Ms Excel and Adobe PDF work hour reports.

And second question is do I need these as in screenshot below for my App in this case?

Right way to get Logged in user’s account id is below:

AP.user.getCurrentUser(function(user) {
    var userAccountId = user.atlassianAccountId;
    //your App JavaScript source code here

Use variable userAccountId on hidden forms field names attributes and/or AJAX extra parameters on POST/GET posts. Not on URLs for security meanings.