Hello,
We are using the following endpoint: POST /rest/api/3/issue/properties/multi on our Connect app. The endpoint returns a 303 in order to the http client perform a redirect to the async task created by Atlassian (the redirect is done automatically in most of http clients).
When the http client tries to perform the redirect, it will re-use the authentication headers and it will fail - getting an Unauthorized 401. This is happening because the generated jwt contains a qsh that prevents URL tampering (it was generated only for the first url, not for the redirect url).
This redirect on the client side makes the API difficult to implement for Connect apps. This is also happening for other endpoints on the Issue Properties bulk endpoints.
Anyone facing the same problem? I’m about to implement a workaround specific for this case, but I would say this should be changed on Atlassian side.
Paulo Alves.