Rest API call for fetching teams

SandeshRai · April 29, 2024, 5:46am

I am trying to fetch the team details in my Forge App but I am always encountering errors.
I wrote this code

    const organizationRes = await requestJira(`/rest/api/3/organization`);
    const organizationData = await organizationRes.json();
    // Assuming you want the first organization name if multiple organizations are returned
    const firstOrganizationName = organizationData[0]?.name;
    setOrganizationName(firstOrganizationName);

but I am still not able to fetch it. please help , also when I try to use

const response = await api.asUser().requestJira(route`/rest/api/3/project/${projectIdOrKey}`, {
      headers: {
        'Accept': 'application/json'
      }
    });
    
    console.log(`Response: ${response.status} ${response.statusText}`);
    console.log(await response.json());

I get Content Security Policy error.

sunnyape · April 29, 2024, 8:04am

Hello @SandeshRai

I’ve never seen any ‘organization’ REST API endpoint for Jira Cloud with that path /rest/api/3/organization.

Can you please provide a link to the documentation that describes it.

SandeshRai · April 29, 2024, 10:14am

GET {{baseurl}}/gateway/api/v3/teams/search?organizationId={organizationId}
ran this in my postman and was getting the output

ibuchanan · April 29, 2024, 11:19am

Welcome to the Atlassian developer community @SandeshRai,

I’m not sure if the v3 is correct, but there is a Team REST API which should work in Postman with an API Token. To my knowledge, that API would not work in Forge or with requestJira. The Team REST API docs don’t mention any Forge auth at all.

It might work through GraphQL using requestGraph but I haven’t tried it myself. It seems suspicious because there are no Forge scopes.

GrahamCarrick · May 8, 2024, 12:23am

It might work through GraphQL using requestGraph but I haven’t tried it myself. It seems suspicious because there are no Forge scopes.

@ibuchanan , I think your suspicions are partly correct.

I can use the requestGraph function to call the teams api and get some results

 const variables = ''
    const headers = ''
    const orgQuery = `query myConfluenceApp_user_getCloudId {
        tenantContexts(cloudIds:["${req.context.cloudId}"]) {
          cloudId , orgId
        }
      }`
      const orgResult = await api.asApp().requestGraph(orgQuery, variables, headers);
      const data = (await orgResult.json()).data
      console.debug("Orgs result", orgResult.status,data ,data.tenantContexts[0].orgId )
      const orgId = data.tenantContexts[0].orgId
    const query = ` query jiraTeams { team @optIn(to: "Team-search-v2")  { 

      teamSearchV2(organizationId:"ari:cloud:platform::org/${orgId}" , siteId:"${req.context.cloudId}") {
        nodes {
          memberCount
          includesYou
          team {displayName id 
            members {  
                nodes  {
                  state
                  role
                  member { id name} 
                      }
              }
          }
        }
    
      }
    }
    
    }`
    const result = await api.asApp().requestGraph(query, variables, headers);

This gives some details on the team

  memberCount: 2,
  includesYou: false,
  team: {
    displayName: 'Team 1',
    id: 'ari:cloud:identity::team/bc09f6f5-b578-4e22-b139-063afa4291f5',
    members: { nodes: [Array] }
  }
}

However, if we look at the members of the team I can’t get those details and run into a scope issue.

[
  { state: 'FULL_MEMBER', role: 'ADMIN', member: null },
  { state: 'FULL_MEMBER', role: 'REGULAR', member: null }
]

The graphql call does give descriptive errors.

  {
    message: 'This request does not contain the right authorisation scopes to access this field',
    locations: [],
    path: [
      'team',
      'teamSearchV2',
      'nodes',
      'team',
      'members',
      'nodes',
      'member'
    ],
    extensions: {
      requiredScopes: [Array],
      providedScopes: [Array],
      statusCode: 403,
      classification: 'InsufficientOAuthScopes',
      aggUgcPiiSafe: true,
      errorSource: 'GRAPHQL_GATEWAY'
    }
  }
] {
  requiredScopes: [ 'identity:atlassian-external' ],
  providedScopes: [
    'read:jira-work',
    'view:team:teams',
    'storage:app',
    'view:membership:teams',
    'read:user:jira',
    'read:avatar:jira',
    'read:project:jira',
    'read:jira-user',
    'read:group:jira'
  ],
  statusCode: 403,
  classification: 'InsufficientOAuthScopes',
  aggUgcPiiSafe: true,
  errorSource: 'GRAPHQL_GATEWAY'
}

The problem is that forge doesn’t support the scope ‘identity:atlassian-external’ , on forge deploy(even with no-verify) or lint it gives this error

39:6    error    Invalid 'scopes' permission in the manifest.yml file - 'identity:atlassian-external'. Learn more about permissions at: https://go.atlassian.com/forge-permissions.  valid-permissions-required

My question: Why is this scope not supported in Forge? Without this how can an App use Teams?

GrahamCarrick · May 14, 2024, 11:47pm

@ibuchanan , or maybe @dmorrow / @tpettersen : any ideas on how to work around this? I’m currently blocked on an App I was hoping to build related to teams(ideally a Compass app but could be a Jira app).

kiranS · May 22, 2024, 9:34am

Likewise, I encountered the same error and got stuck. while build nodejs application

RhysDiab1 · June 6, 2024, 5:26am

@dmorrow @tpettersen Any update on this? We’re also looking to build an app which requires use of the teams API within a Forge app but are currently unable to do so.

dmorrow · June 6, 2024, 4:04pm

Hi @RhysDiab1 , @SandeshRai , @GrahamCarrick , …

Unfortunately, I’m not aware of a documented API to retrieve team data (other than the team issue custom field) which is accessible to Forge apps.

Dugald

GrahamCarrick · June 7, 2024, 12:49am

Hi @dmorrow,

I don’t think the problem is a lack of an API. The GraphQL API has he data and if I use the graphQL explorer I can get the data. The issue is that the scopes required to access that API are not supported in Forge.

From my previous message:

The problem is that forge doesn’t support the scope ‘identity:atlassian-external’ , on forge deploy(even with no-verify) or lint it gives this error.

My guesses based on now somewhat outdated info:

If I were to guess this is more an issue related to install scopes. We know that apps cannot access data for a different product to the one they are installed in. My guess would be that the scope “identity:atlassian-external” is being treated in the same way and not allowed.

The teams API is a platform service connected to an Org and the search API requires specifying a site context. There may be a security issue to be investigated around apps accessing data for other sites which the user has access to but the App doesn’t have the install scope for.

I believe that there is a lot of potential for Apps built using teams rather than relying on the Jira/Confluence groups as groups are primarily for access control. I’m happy to chat more to you or someone 1-1 if it helps more that Teams API access forward.

ibuchanan · June 7, 2024, 6:08am

I can confirm your guesses. The atlassian-external scope isn’t “real”. Apps cannot declare it, nor can customers authorize it.

I can also confirm your understanding of the security contexts. It’s a known constraint and one we are trying to expand. But there are many directions to go: cross-product (same site), cross-site, org-level, etc. We’re still trying to work out the intersection of what’s possible and what’s valuable. I don’t think Teams would be unlocked anytime soon.

Agreed! And I’m glad to hear you’re thinking that way and that certainly lines up with how we want Teams to be used. But it could take some time for that become real.

YY1 · August 28, 2024, 9:35am

I encountered the same error and got stuck

GrahamCarrick · October 29, 2024, 9:57pm

@ibuchanan , Do you know if there have been any update to this? I’d be keen to know when there is a change to make the teams API more useful for external developers. Is there somewhere I can subscribe to get updates?

ibuchanan · October 30, 2024, 2:59am

I don’t have any updates. I wasn’t able to get any publicly visible issue (ie JAC) at the time. Perhaps you could open a Jira suggestion (JAC) in the ECO project). In past, I could/would have done more to keep connecting with the internal team, but my role has changed and I’m not able to take those extra steps.

GrahamCarrick · October 30, 2024, 6:54am

Thanks for your efforts @ibuchanan, I’ll see if I can get traction through other channels like you mention.

YY1 · February 19, 2025, 7:34am

Hi @GrahamCarrick may I know if you’ve got this issue resolved now? I’m still struggling with it

GrahamCarrick · March 18, 2025, 4:56am

Hi @YY1 ,

I haven’t looked at it recently but I haven’t seen any announcement that would make me think it it possible yet.

lexek-92 · January 26, 2026, 3:08pm

Are there any updates on this issue? It seems absurd that there is no documented APIs available for the third-party apps for a product core functionality.

ibuchanan · January 26, 2026, 6:06pm

Hey @lexek-92,

I did a bit of internal searching and it seems there is either an unfinished project or unannounced changes. I’ll see if I can find out which. In any case, below does not yet cover the question asked in the OP. There aren’t scopes that unblock the REST APIs.

In the meantime, what might work is TeamV2 in GraphQL via Forge. From what I can tell, it is not expected to work with 3LO but it should for Forge. The scopes are now listed at the bottom of the schema in the GraphQL Explorer:

OAuth Scopes
One of the following scopes will need to be present on OAuth requests to get data from this field

view:membership:teams

view:membership-temp:teams

From what I can tell, just use the 1st one. There’s no changelog entry for this new scope, and I think there was an older one view:team:teams that never worked.

Sorry that I have not had time to test myself.