We’ve discovered that the installationId is not a reliable identifier because it can change without any lifecycle events.
The siteId (or cloudId - naming is inconsistent everywhere) is more reliable as it does not change between installations or data recovery, so we are having to re-implement our Forge Remote Auth layer to use siteId.
However, the Connect install lifecycle event does not include the siteId so we’re having to fetch it from https://customer-name.atlassian.net/_edge/tenant_info which is only documented in the Backup Management REST API docs, and elsewhere on Atlassian support, but is not mentioned anywhere near the Forge Remote docs.
The next problem is that the Forge Invocation Token does not include the siteId, so in order to look up tenants by siteId instead of installationId we’re having to extract the siteId from the undocumented aud claims on that token. EDIT: the siteId only exists in the aud claims if we get an appSystemToken in the request from the scheduled trigger. It is not present in FITs at all.
The Forge installation requests do not contain the baseUrl (EDIT: I’m talking about https://customer-name.atlassian.net here) which we need for historical reasons documented elsewhere, and the REST APIs for obtaining it may or may not be accessible due to eventually consistent Atlassian permissions systems.
Finally, we used to use a REST API that I cannot find the documentation for anymore (/rest/atlassian-connect/1/addons/${addonKey}) in order to check whether an app’s license was still active, because there are no webhooks relating to license expiry/activation. In the Forge world I believe that the canonical way to identify whether a license is still active is to check when the last scheduled trigger request was received, but the only documentation I can find relating to this suggests we should consider the app to be uninstalled.
It feels like we’re implementing multiple workarounds in the dark because Atlassian’s Forge Remote docs do not give us any confidence that the current implementation is “official” and therefore subject to the normal deprecation policies and changelog announcements.
Equally, the information that we need to build a reliable system is just not present in all of the places we need it to be so we’re spending a lot of time implementing additional lookups and fallback mechanisms.
My requests:
- please can Atlassian document clearly the relationship between the various identifiers and under what circumstances they may change, on this page
- please can you make
siteIdandbaseUrla first class property/attribute of Connect lifecycle requests and Forge Invocation Tokens - please can you update https://developer.atlassian.com/platform/forge/remote/calling-product-apis/ to document how long an
appSystemTokenis valid for, so there is a contract with app developers