URGENT! API accessible-resources endpoint returns sites/resources that are not permitted by the user

In our system user authorizes a specific JIRA site/resource so that using the API we create an issue.

We use OAuth for authorization.

The problem is that https://api.atlassian.com/oauth/token/accessible-resources endpoint returns all existing sites/resources regardless what user permitted.

Here is documentation - https://developer.atlassian.com/cloud/confluence/oauth-2-3lo-apps/

We want to get specifically the resource that user authorized so that we create ticket/issue in this site only.

This is very urgent! Please let us know how can we fix this issue.

@GarnikGiloyan,

While I can appreciate you may have a sense of urgency but what you described is how OAuth 2 has worked since launch. And I admit that others have asked for the same thing, but there isn’t a simple “fix” for this. From what I can tell, the expectation is that clients are expected to have their own “routing” to a Jira site and not depend on only the latest consent.

(Edit to more directly address the subject and the following)

The problem is that https://api.atlassian.com/oauth/token/accessible-resources endpoint returns all existing sites/resources regardless what user permitted.

If this is true, we have a bug. However, I cannot confirm this. I can only see accessible resources for which I have approved the app. It can be multiple, but it is only those authorized by me.

1 Like

Thank you for your message.

Can you please share the code you are using?

We use the following code

async accessibleResources(refreshToken: string) {
const tokenObject = await this.getToken(refreshToken);
if (tokenObject.access_token) {
const result = await this.httpService.axiosRef.get(
https://api.atlassian.com/oauth/token/accessible-resources”,
{
headers: {
Authorization: Bearer ${tokenObject.access_token},
},
}
);
if (result.data) {
return result.data;
}
}
}

Maybe there is a bug in the API version we use?

Please help to fix this issue.

@GarnikGiloyan,

It’s not the code. I’m just using Insomnia as a raw HTTP client. And I’m calling the same endpoint.

When I make an authorization request using https://api.atlassian.com/oauth2/authorize/server/consent, then I see dozens of sites where I have user access but have not granted my client permission:

I choose 1, and “Accept”.

Then I get an authorization code and exchange it for an access token using https://auth.atlassian.com/oauth/token. With that token I call https://api.atlassian.com/oauth/token/accessible-resources. The response doesn’t have dozens of sites. It just has the set that I have granted access; in my case, I only ever grant access to 1 site:

[
	{
		"id": "c68adbe0-2b09-4add-b08e-eb5797b31bc9",
		"url": "https://devpartisan.atlassian.net",
		"name": "devpartisan",
		"scopes": [
			"write:confluence-groups",
			"write:confluence-space",
			"read:confluence-content.permission",
			"write:confluence-content",
			"read:confluence-props",
			"manage:confluence-configuration",
			"read:confluence-groups",
			"read:confluence-content.summary",
			"read:confluence-user",
			"search:confluence",
			"read:confluence-space.summary",
			"write:confluence-props",
			"read:confluence-content.all",
			"write:confluence-file"
		],
		"avatarUrl": "https://site-admin-avatar-cdn.prod.public.atl-paas.net/avatars/240/site.png"
	}
]

That said, accessible resources can return multiple sites. The client does not know which one was “the last one” for a given user, so clients will need to disambiguate some other way.

3 Likes