In our system user authorizes a specific JIRA site/resource so that using the API we create an issue.
We use OAuth for authorization.
The problem is that https://api.atlassian.com/oauth/token/accessible-resources endpoint returns all existing sites/resources regardless what user permitted.
Here is documentation - https://developer.atlassian.com/cloud/confluence/oauth-2-3lo-apps/
We want to get specifically the resource that user authorized so that we create ticket/issue in this site only.
This is very urgent! Please let us know how can we fix this issue.
@GarnikGiloyan,
While I can appreciate you may have a sense of urgency but what you described is how OAuth 2 has worked since launch. And I admit that others have asked for the same thing, but there isn’t a simple “fix” for this. From what I can tell, the expectation is that clients are expected to have their own “routing” to a Jira site and not depend on only the latest consent.
(Edit to more directly address the subject and the following)
The problem is that https://api.atlassian.com/oauth/token/accessible-resources endpoint returns all existing sites/resources regardless what user permitted.
If this is true, we have a bug. However, I cannot confirm this. I can only see accessible resources for which I have approved the app. It can be multiple, but it is only those authorized by me.
1 Like
Thank you for your message.
Can you please share the code you are using?
We use the following code
async accessibleResources(refreshToken: string) {
const tokenObject = await this.getToken(refreshToken);
if (tokenObject.access_token) {
const result = await this.httpService.axiosRef.get(
“https://api.atlassian.com/oauth/token/accessible-resources”,
{
headers: {
Authorization: Bearer ${tokenObject.access_token},
},
}
);
if (result.data) {
return result.data;
}
}
}
Maybe there is a bug in the API version we use?
Please help to fix this issue.
@GarnikGiloyan,
It’s not the code. I’m just using Insomnia as a raw HTTP client. And I’m calling the same endpoint.
When I make an authorization request using https://api.atlassian.com/oauth2/authorize/server/consent, then I see dozens of sites where I have user access but have not granted my client permission:
I choose 1, and “Accept”.
Then I get an authorization code and exchange it for an access token using https://auth.atlassian.com/oauth/token. With that token I call https://api.atlassian.com/oauth/token/accessible-resources. The response doesn’t have dozens of sites. It just has the set that I have granted access; in my case, I only ever grant access to 1 site:
[
{
"id": "c68adbe0-2b09-4add-b08e-eb5797b31bc9",
"url": "https://devpartisan.atlassian.net",
"name": "devpartisan",
"scopes": [
"write:confluence-groups",
"write:confluence-space",
"read:confluence-content.permission",
"write:confluence-content",
"read:confluence-props",
"manage:confluence-configuration",
"read:confluence-groups",
"read:confluence-content.summary",
"read:confluence-user",
"search:confluence",
"read:confluence-space.summary",
"write:confluence-props",
"read:confluence-content.all",
"write:confluence-file"
],
"avatarUrl": "https://site-admin-avatar-cdn.prod.public.atl-paas.net/avatars/240/site.png"
}
]
That said, accessible resources can return multiple sites. The client does not know which one was “the last one” for a given user, so clients will need to disambiguate some other way.
3 Likes
