Rest API call for fetching teams

I am trying to fetch the team details in my Forge App but I am always encountering errors.
I wrote this code

    const organizationRes = await requestJira(`/rest/api/3/organization`);
    const organizationData = await organizationRes.json();
    // Assuming you want the first organization name if multiple organizations are returned
    const firstOrganizationName = organizationData[0]?.name;
    setOrganizationName(firstOrganizationName);

but I am still not able to fetch it. please help , also when I try to use

const response = await api.asUser().requestJira(route`/rest/api/3/project/${projectIdOrKey}`, {
      headers: {
        'Accept': 'application/json'
      }
    });
    
    console.log(`Response: ${response.status} ${response.statusText}`);
    console.log(await response.json());

I get Content Security Policy error.

Hello @SandeshRai

I’ve never seen any ‘organization’ REST API endpoint for Jira Cloud with that path /rest/api/3/organization.

Can you please provide a link to the documentation that describes it.

GET {{baseurl}}/gateway/api/v3/teams/search?organizationId={organizationId}
ran this in my postman and was getting the output

Welcome to the Atlassian developer community @SandeshRai,

I’m not sure if the v3 is correct, but there is a Team REST API which should work in Postman with an API Token. To my knowledge, that API would not work in Forge or with requestJira. The Team REST API docs don’t mention any Forge auth at all.

It might work through GraphQL using requestGraph but I haven’t tried it myself. It seems suspicious because there are no Forge scopes.

Hello @SandeshRai

As @ibuchanan has advised, there is no such ‘v3’ version of the Teams REST APIs nor one with any such format as the one you have provided. Also, that request you have just cited is nothing like the one you posted in your original question!

So, I ask again, please provide a link to the specific, official documentation that describes this endpoint /gateway/api/v3/teams/search that you claim ‘gives the output’. Also, please provide screen grabs of your Postman session to that endpoint showing:

  • The authentication method you used
  • The entire path of the request
  • The JSON response from that endpoint

I get a bad feeling that you’re another one of ‘those people’ who is silly enough to try hijacking the internal REST API endpoints for their own purposes, by reading articles like this one, but simply doesn’t pay any attention to where it says, very clearly and distinctly,


That’s not part of the product’s APIs which means that individual admins can use their personal API tokens to access this, but it is out of reach for Connect and Forge apps. And if I am not totally mistaken, it’s also not part of the official APIs, so you should not rely on using for any production workload, as you are basically hacking.

or


This is totally a hack, gathered from sniffing the Search People/Teams page. Totally correct that this is probably only usable for unofficial admin work, like one-time scripts, etc. certainly not for apps or production automation things

It might work through GraphQL using requestGraph but I haven’t tried it myself. It seems suspicious because there are no Forge scopes.

@ibuchanan , I think your suspicions are partly correct.

I can use the requestGraph function to call the teams api and get some results

 const variables = ''
    const headers = ''
    const orgQuery = `query myConfluenceApp_user_getCloudId {
        tenantContexts(cloudIds:["${req.context.cloudId}"]) {
          cloudId , orgId
        }
      }`
      const orgResult = await api.asApp().requestGraph(orgQuery, variables, headers);
      const data = (await orgResult.json()).data
      console.debug("Orgs result", orgResult.status,data ,data.tenantContexts[0].orgId )
      const orgId = data.tenantContexts[0].orgId
    const query = ` query jiraTeams { team @optIn(to: "Team-search-v2")  { 

      teamSearchV2(organizationId:"ari:cloud:platform::org/${orgId}" , siteId:"${req.context.cloudId}") {
        nodes {
          memberCount
          includesYou
          team {displayName id 
            members {  
                nodes  {
                  state
                  role
                  member { id name} 
                      }
              }
          }
        }
    
      }
    }
    
    }`
    const result = await api.asApp().requestGraph(query, variables, headers);

This gives some details on the team

  memberCount: 2,
  includesYou: false,
  team: {
    displayName: 'Team 1',
    id: 'ari:cloud:identity::team/bc09f6f5-b578-4e22-b139-063afa4291f5',
    members: { nodes: [Array] }
  }
}

However, if we look at the members of the team I can’t get those details and run into a scope issue.

[
  { state: 'FULL_MEMBER', role: 'ADMIN', member: null },
  { state: 'FULL_MEMBER', role: 'REGULAR', member: null }
]

The graphql call does give descriptive errors.

  {
    message: 'This request does not contain the right authorisation scopes to access this field',
    locations: [],
    path: [
      'team',
      'teamSearchV2',
      'nodes',
      'team',
      'members',
      'nodes',
      'member'
    ],
    extensions: {
      requiredScopes: [Array],
      providedScopes: [Array],
      statusCode: 403,
      classification: 'InsufficientOAuthScopes',
      aggUgcPiiSafe: true,
      errorSource: 'GRAPHQL_GATEWAY'
    }
  }
] {
  requiredScopes: [ 'identity:atlassian-external' ],
  providedScopes: [
    'read:jira-work',
    'view:team:teams',
    'storage:app',
    'view:membership:teams',
    'read:user:jira',
    'read:avatar:jira',
    'read:project:jira',
    'read:jira-user',
    'read:group:jira'
  ],
  statusCode: 403,
  classification: 'InsufficientOAuthScopes',
  aggUgcPiiSafe: true,
  errorSource: 'GRAPHQL_GATEWAY'
}

The problem is that forge doesn’t support the scope ‘identity:atlassian-external’ , on forge deploy(even with no-verify) or lint it gives this error

39:6    error    Invalid 'scopes' permission in the manifest.yml file - 'identity:atlassian-external'. Learn more about permissions at: https://go.atlassian.com/forge-permissions.  valid-permissions-required

My question: Why is this scope not supported in Forge? Without this how can an App use Teams?

2 Likes

@ibuchanan , or maybe @dmorrow / @tpettersen : any ideas on how to work around this? I’m currently blocked on an App I was hoping to build related to teams(ideally a Compass app but could be a Jira app).

Likewise, I encountered the same error and got stuck. while build nodejs application

@dmorrow @tpettersen Any update on this? We’re also looking to build an app which requires use of the teams API within a Forge app but are currently unable to do so.

Hi @RhysDiab1 , @SandeshRai , @GrahamCarrick , 


Unfortunately, I’m not aware of a documented API to retrieve team data (other than the team issue custom field) which is accessible to Forge apps.

Dugald

2 Likes

Hi @dmorrow,

I don’t think the problem is a lack of an API. The GraphQL API has he data and if I use the graphQL explorer I can get the data. The issue is that the scopes required to access that API are not supported in Forge.

From my previous message:

The problem is that forge doesn’t support the scope ‘identity:atlassian-external’ , on forge deploy(even with no-verify) or lint it gives this error.

My guesses based on now somewhat outdated info:

If I were to guess this is more an issue related to install scopes. We know that apps cannot access data for a different product to the one they are installed in. My guess would be that the scope “identity:atlassian-external” is being treated in the same way and not allowed.

The teams API is a platform service connected to an Org and the search API requires specifying a site context. There may be a security issue to be investigated around apps accessing data for other sites which the user has access to but the App doesn’t have the install scope for.

I believe that there is a lot of potential for Apps built using teams rather than relying on the Jira/Confluence groups as groups are primarily for access control. I’m happy to chat more to you or someone 1-1 if it helps more that Teams API access forward.

3 Likes

I can confirm your guesses. The atlassian-external scope isn’t “real”. Apps cannot declare it, nor can customers authorize it.

I can also confirm your understanding of the security contexts. It’s a known constraint and one we are trying to expand. But there are many directions to go: cross-product (same site), cross-site, org-level, etc. We’re still trying to work out the intersection of what’s possible and what’s valuable. I don’t think Teams would be unlocked anytime soon.

Agreed! And I’m glad to hear you’re thinking that way and that certainly lines up with how we want Teams to be used. But it could take some time for that become real.

4 Likes

I encountered the same error and got stuck :joy: