We have an app that fetches a list of Jira projects via OAuth 2 (3LO) from REST API v2 ( via GET /rest/api/2/project/search) and renders them in a third-party application.
We use project.avatarUrls["24x24"] from the result to render the project avatars. Strangely, for Jira built-in avatars this works without any issues, however, for projects with custom avatars (image uploaded by us) the URLs return 403.
Custom avatars are user-generated content and as such require authentication. If I understand correctly, avatars are being rendered (i.e. fetched) in a third-party application – so please make sure those requests are authenticated and with the right permissions to see the avatar.
Hey @ccasais, that’s right and makes absolute sense, however, the avatars are rendered in a third-party application, i.e. I just hand them the URL but I am not in control of how the avatars are rendered or how they are fetched.
I think the only way to work around this is to proxy the avatar request from the third-party system through our server where we can add authentication and return the image. Unfortunately, I assume we have to proxy all requests as there is no easy way to know if an avatar URL points to user-generated content or not.
@ccasais just had another look at this and did some more testing with some interesting results.
It seems project avatars in the REST API point to /secure/projectavatar?... and issue type avatars point to /secure/viewavatar?....
An interesting insight of this is that resolving custom issue type avatars via api.atlassian.com/ex/jira/[my-site-id]/secure/viewavatar?size=medium&avatarId=10929&avatarType=issuetypeworks without authentication.
If I use that same endpoint to try to load project avatars, it seems to default to the default project avatar but does not fail with a 403 as described above.
I am wondering what’s Atlassian’s view on this, considering that this behavior is inconsistent? Should custom avatars generally be public or should they be private? Having custom project avatars private and custom issue type avatars public does not really make sense to me.
Hey @tbinna, so sorry for the delayed response, just wanted to give you an update on this:
Both project and issue type avatars should be private and we will be rolling out a patch to ensure that’s the case within the next few weeks. Please assume those URLs will require authentication and any requests coming from third-party apps will need to be proxied.
Hope this makes sense, and please let us know if you have any further questions!
I added a suggestion for avatars to be public. I my case, an integrations such as Hubspot need to retrieve project icons, but currently we receive 403 Forbidden on all projects icon (because we use custom icon)