We're removing the allow access prompt for Forge apps

danielwinterw · October 20, 2021, 7:27pm

Hey Developer Community!

For those who don’t know me, I’m Dan, Engineering Manager on the Forge platform

I wanted to give some very early insight into a recent decision that we made about Forge. TL;DR: We’re removing user consent and individual users will no longer have to allow access to use an app. Instead, we will be relying on administrators to give consent on behalf of the users on their sites. We don’t have a timeline just yet.

Some context on what got us here:

A large reason why we are building Forge is to address security, trust, and compliance requirements in our customer’s journey to the cloud. We decided that Forge apps needed to use a fundamentally different method of authentication and authorization to what existed in Connect at the time. We needed more granular permissions and ultimately we wanted to provide more control to our customers. Forge opted to use OAuth 2.0 to achieve this.

Over the last two years, we’ve seen Forge evolve into a more mature platform. Since Forge has become generally available, we have seen many paid and free apps built on Forge and installed by 1000’s of customers. We also ran our annual Codegeist competition entirely on Forge. We’re at the stage where we are now looking to refine some of our core experiences to address any friction in Forge adoption.

We’ve seen quite a lot of feedback in relation to the “allow access” button shown for Forge apps. Some developers are asking for us to give controls to administrators to turn that off, some want it gone completely. We understand the risk this has for users onboarding to your apps. It’s a point of friction. We’ve experienced this friction internally with our own apps! Ironically, with an app that also helped us make this decision, that’s a story for another day .

Long story short, we’ve evaluated our requirements for individual user consent in collaboration with Legal, Privacy, PM, and Engineering and have found that it is not a requirement for Forge moving forward. We are now exploring the technical requirements to make this change and hope to share a timeline soon.

jmort · October 20, 2021, 7:31pm

Thanks for the heads up Dan. This is a very welcome move, the friction that those prompts bring is a big problem.

paul · October 20, 2021, 7:45pm

@danielwinterw , I noticed in our Dev environment that there was a permission page for our app. Is this an early version of what you are talking about?

tobitheo · October 20, 2021, 7:45pm

Hi, thanks for this! I can see where you guys came from regarding a trust perspective and users maybe not knowing what’s going on when an app does stuff on their behalf and I respect that. I’ve been a developer for long enough and know enough about security to know that prioritizing between security and user experience is always a painful topic So I do not envy you this decision. As a Marketplace Partner developer, I do appreciate it though since it removes friction with users using our apps which will hopefully lead to improved adoption.

Questions regarding this though:
Does this have any implications on user impersonation in Connect on Forge apps and user impersonation in application event handlers or are those unrelated topics?

danielwinterw · October 20, 2021, 8:18pm

@tobitheo this will not address user impersonation at this stage

danielwester · October 20, 2021, 8:49pm

Will there be a heads up when this announcement is done so we can update our docs?

danielwinterw · October 20, 2021, 9:59pm

@danielwester, yes. We will share more information on timelines soon

jcarter · October 22, 2021, 5:47pm

Ironically, with an app that also helped us make this decision, that’s a story for another day .

I mean, it’s another day… anyone else curious to hear this story?

FranzBinder · November 19, 2021, 7:46pm

Can you express a rough timeline in the meantime?

FranzBinder · November 22, 2021, 12:07pm

@danielwester , one more comment on this:

I noticed when testing an app with a second user I couldn’t allow the permissions.
The following message came up:

Is there a chance to do this anyway in the development stage?

Jarrod · November 29, 2021, 12:29pm

We’re having the same issue as @FranzBinder lately.

Does anyone know a way around this?

CC: @danielwinterw

BonganiGumede · November 29, 2021, 3:26pm

Hi @FranzBinder I am also struggling with the same issue you have shown above did they mentioned any thing perhaps we could expect when is this gonna be resolved ?

freatt · December 21, 2021, 8:58am

Ran into this and solved it by updating the app distribution to “Sharing” in Log in with Atlassian account

mstrelex · January 11, 2022, 12:31pm

@danielwinterw Any updates on this? Eagerly waiting for it… thanks.

barron_brock · January 21, 2022, 4:05pm

Hi! I have a client who is interested in this feature. Any ETA on when this might roll out?

asridhara · February 4, 2022, 5:00am

Hi @barron_brock , We have it on our our roadmap and will be one the next thing we pick up. We are eager to do this and will keep the community posted as soon as we start working on this. Thanks

GJRTimmer · February 9, 2022, 12:52pm

Question; is this implemented yet ?

bentley · February 9, 2022, 3:09pm

As the card is still under the “Next Up” header and not the “Shipped” one, no.

If you’d like to receive updates on when this card is shipped, you can click the “Watch” button on the card back:

system · March 11, 2022, 3:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.