Can anybody explain what is going on here? Some posts seem to indicate that specific API methods have to be enabled for OAuth2, but I do not understand why the API docs list OAuth2 scopes then?
As a side note, I have also tested calling POST /rest/api/3/expression/eval from a Forge Custom UI directly, and that seems to work just fine, but it is not what I am looking for.
Interesting! I’ve just tried to reproduce it and have valid response from the server. Tried on both new apps and outdated once (to spot a regression if any). Could you please try whether this simple expression for you?
At this point I have no idea why that additional query param breaks things for you. Let’s see whether complexity lowering and scope change makes any difference.
Closing this issue. This is an implementation problem on our side (though I think the Forge API is trying to overachieve unnecessarily).
We are using a generic HTTP client that can be used to make requests via Custom UI bridge’s requestJira as well as via the Forge API’s requestJira. The client accepts a fetch function with the standard fetch API signature to run requests. Unfortunately, the Forge API’s requestJira changes the standard fetch API signature by trying to enforce the usage of the route template function.
To work around this inconsistency, we created a wrapper around the Forge API call like so:
This calls encodeURIComponent on the whole URL string instead of just the injected template parameters, which in turn modifies the URL we intended to call.
For us, the solution is to stick to assumeTrustedRoute. This reinstates the standard fetch API behavior and interface. Of course, in this case, we have to handle the encoding of injected parameters ourselves - but everyone using a standard fetch API will have to do this anyways.
In my opinion, the Forge API is trying to overachieve by deviating from the standard API signature. It would be better to stick to standard APIs and raise awareness of the potential security issues in the docs. The current solution can lead to quite unexpected results. I wasted a fair amount of hours trying to debug this issue, not to mention the hours Atlassian staff spent looking into this.
Thanks for your help @vpetrychuk! I managed to figure it out (see post above ). The initial error message led me down the wrong path. After reading some other posts and my own experience, I feel it’s pretty safe to say that if you get a 403 when calling an API via OAuth2 and get back the message Auth 2.0 is not enabled for method it is likely that it is an implementation issue.