Rest API weird behavior when searching project authenticated as addon

In our connect addon, we try to trigger some requests authenticated as addons (making api requests to the product as the addon). Purpose is to differ processing in asynchronous tasks, out of an authenticated user request.

However, after having read documentation and tested apis, I’m a little bit confused on how calls to jira cloud rest api without impersonation are supposed to behave.

Each jira cloud rest endpoint defines scope (of the addon) and permissions (of the authenticated user) and documentation says :

for Connect apps, the app user must have the required permissions for the operation and the app must have scopes that permit the operation

Now, I’ve made some calls authenticated as addons with an addon having PROJECT_ADMIN and ADMIN scope and I see some differences:

  • get all projects => requires scope “READ” and permissions “Browse Project” => return the full list of projects of my instance. However this call is deprecated and risky when a lot of projects exists on the instance (eg: timeout).
  • search project => requires scope “ADMIN” and permissions “Browse Project” => return no project, but Http status 200 with an empty list.

So here, I already have some interrogations:

  • no impersonation, however, both call ends with a HTTP 200, and one of them return the full list of projects…
  • why a different result between the 2 calls ? One is paginated and the others not, that’s it, it should not behave differently…

I continue my investigation and try doing some calls, always without impersonation, to:

  • myself => it returns a user that looks to represent the addon.
  • my permissions => configured with a given project id and BROWSE_PROJECTS permission => it returns that the user has Browse permission on this project id.

I’ve checked in project permission screen, and it looks that I have some generated groups (eg: atlassian-addons-project-access, atlassian-addons-admin) which looks, in term of naming, similar to addon scope and a user representing my addon.
I try to assign permission on projects with these groups and the addon user, but it has no impact on “project search” calls, why ?

If anyone can help me to understand how it is supposed to behave, I would be graceful for her/his assistance. :slight_smile:

Thanks !