Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1427

Forge apps might not work as expected if IP allowlist is enabled

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: High High
    • IP Allowlisting
    • None

      Issue Summary

      When using apps (add-ons) developed with Forge, their macros may not work as expected if the user has IP Allowlisting enabled. Sometimes the macro will throw an error or simply will not work at all.

      Steps to Reproduce

      1. Create/ install an app built with Forge that has a macro;
      2. Try to use the macro provided by the app;

      We noticed the problem happens when the macro / app tries to perform any type of API request, which seems to be blocked by the IP Allowlist.

      Expected Results

      The macro should work without problems.

      Actual Results

      Depending on the macro, it might throw an error os simply not work at all.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

            [ACCESS-1427] Forge apps might not work as expected if IP allowlist is enabled

            Hi everyone,

            This is Aditya from the IPAllowlisting team. Thank you for your patience as we work on fixing this bug. We pushed a fix to solve this issue for Automation For Confluence. You should no longer be seeing these errors when using Automation For Confluence. We have created https://jira.atlassian.com/browse/ACCESS-1442 to separately track IPAllowlisting errors for `asApp` requests and we will be closing this issue. Please follow https://jira.atlassian.com/browse/ACCESS-1442 if you are impacted by IPAllowlisting errors on `asApp` requests.

            Best,

            Aditya

            Aditya Guntupalli added a comment - Hi everyone, This is Aditya from the IPAllowlisting team. Thank you for your patience as we work on fixing this bug. We pushed a fix to solve this issue for Automation For Confluence. You should no longer be seeing these errors when using Automation For Confluence. We have created https://jira.atlassian.com/browse/ACCESS-1442 to separately track IPAllowlisting errors for `asApp` requests and we will be closing this issue. Please follow https://jira.atlassian.com/browse/ACCESS-1442 if you are impacted by IPAllowlisting errors on `asApp` requests. Best, Aditya

            Hello!

            We are using IP Allowlisting and trying to use the new Behaviours capability from Adaptavist. 

            Is there ETA on when the in-progress bug might be fixed?

            Thans!

            -Rick

            Rick Olson added a comment - Hello! We are using IP Allowlisting and trying to use the new Behaviours capability from Adaptavist.  Is there ETA on when the in-progress bug might be fixed? Thans! -Rick

            Atlassian-SCSK開発者 added a comment - - edited

            Changing `asApp()` to `asUser()` worked for invoking requests. Is there any workaround for the requests that are restricted to `asApp()` api calls such as the product events and the scheduled triggers? 
            We tried updating @forge/bridge but didn't work.

            Atlassian-SCSK開発者 added a comment - - edited Changing `asApp()` to `asUser()` worked for invoking requests. Is there any workaround for the requests that are restricted to `asApp()` api calls such as the product events and the scheduled triggers?  We tried updating @forge/bridge but didn't work.

            Hey folks, just wanted to comment publicly that we're aware of a corner case with Confluence Automation that was not solved by our initial fix. We're working on it now.

            Jonathon Yu added a comment - Hey folks, just wanted to comment publicly that we're aware of a corner case with Confluence Automation that was not solved by our initial fix. We're working on it now.

            Based on the last comment by Aditya Guntupalli I tested the Confluence automation using the rule, "Update label on a recurring basis", from the library and we are still getting the same error as before. I then tired creating several other rules with different triggers and actions and none of them work. They all fail with:

            Error in execution:
            Forbidden. Trace ID: [random trace id]
            No related entities could be found.

            Robert Klohr added a comment - Based on the last comment by Aditya Guntupalli I tested the Confluence automation using the rule, "Update label on a recurring basis", from the library and we are still getting the same error as before. I then tired creating several other rules with different triggers and actions and none of them work. They all fail with: Error in execution: Forbidden. Trace ID: [random trace id] No related entities could be found.

            Update: We have rolled out some changes so that any forge apps invoking `api.asUser()` requests should not be impacted by IP allowlists.

            Aditya Guntupalli added a comment - Update: We have rolled out some changes so that any forge apps invoking `api.asUser()` requests should not be impacted by IP allowlists.

            3ea8e896bf0d thank you for reaching out! At the moment we are in the process of testing and gradually rolling out a fix for this. We will post another update next week.

            Aditya Guntupalli added a comment - 3ea8e896bf0d thank you for reaching out! At the moment we are in the process of testing and gradually rolling out a fix for this. We will post another update next week.

            Robert Klohr added a comment - - edited

            The last update I received, last September via a support issue I opened on this bug, was that the fix was scheduled to deliver late Q4 2022 with a deadline of 30 December 2022. As we are one month out from the deadline and there have been no informational updates to this issue from Atlassian, I would appreciate someone providing an update here addressing the question of when this fix can be expected. 

            Robert Klohr added a comment - - edited The last update I received, last September via a support issue I opened on this bug, was that the fix was scheduled to deliver late Q4 2022 with a deadline of 30 December 2022. As we are one month out from the deadline and there have been no informational updates to this issue from Atlassian, I would appreciate someone providing an update here addressing the question of when this fix can be expected. 

            I will be looking forward to this as well.  It's a shame that I had to uninstall some add-ons and discontinue use of them because of this issue.  A loss for me and the vendors who provide those add-ons.

            Janet Dixon added a comment - I will be looking forward to this as well.  It's a shame that I had to uninstall some add-ons and discontinue use of them because of this issue.  A loss for me and the vendors who provide those add-ons.

            Echoing the above, I am having difficulties with Automation for Confluence due to this issue. Any CQL in an action fails, and my automations cannot trigger via a webhook because the webhook call never makes it to the Confluence endpoint.

            This is pretty limiting as far as what is possible in the A4C app with this bug in place.

            Geoffrey Moes added a comment - Echoing the above, I am having difficulties with Automation for Confluence due to this issue. Any CQL in an action fails, and my automations cannot trigger via a webhook because the webhook call never makes it to the Confluence endpoint. This is pretty limiting as far as what is possible in the A4C app with this bug in place.

            Robert Klohr added a comment - - edited

            This issue also prevents the new Confluence Automation feature from working.  We have an open issue PCS-99925 for the Confluence Automation problem.

            Update on 2022-10-11:

            The most recent update in our issue estimates a delivery date of December 2022.

            Update on 2022-05-30:

            Atlassian support confirmed that this issue exists and that, at least for Confluence Automation, "Development teams are discussing on how to bypass this for apps which use Forge."

            Robert Klohr added a comment - - edited This issue also prevents the new Confluence Automation feature from working.  We have an open issue PCS-99925 for the Confluence Automation problem. Update on 2022-10-11: The most recent update in our issue estimates a delivery date of December 2022. Update on 2022-05-30: Atlassian support confirmed that this issue exists and that, at least for Confluence Automation, "Development teams are discussing on how to bypass this for apps which use Forge."

            Thank you James

            I have upvoted and watching on that ticket.

            Hua Soon SIM [Akeles] added a comment - Thank you James I have upvoted and watching on that ticket.

            Hi all, I'm sorry to hear about the issues this has caused for your apps and customers.

            Requests from Forge backend functions are indeed blocked by the IP allowlist, however a workaround that some apps could use is to make the requests via the Custom UI bridge, instead.

            We are tracking this issue over at https://ecosystem.atlassian.net/browse/FRGE-634 so I will link that issue to this one. I have notified the responsible product manager about the additional feedback from all of you in this comments section.

            James Hazelwood added a comment - Hi all, I'm sorry to hear about the issues this has caused for your apps and customers. Requests from Forge backend functions are indeed blocked by the IP allowlist, however a workaround that some apps could use is to make the requests via the Custom UI bridge, instead. We are tracking this issue over at https://ecosystem.atlassian.net/browse/FRGE-634 so I will link that issue to this one. I have notified the responsible product manager about the additional feedback from all of you in this comments section.

            Hi Georg,

            Thank you for your advice. 

            I think it is because we are using UI Kit whereas you are using Custom UI

            Do you have any Forge apps that are using UI Kit?

            Hua Soon SIM [Akeles] added a comment - Hi Georg, Thank you for your advice.  I think it is because we are using UI Kit whereas you are using Custom UI .  Do you have any Forge apps that are using UI Kit?

            I would like to say thanks to Georg and Hua for their work on this issue.  Georg has really done an outstanding job in resolving and providing assistance to another vendor to help them with their app.  I am surprised that Atlassian hasn't reached out to all vendors who may be affected to  provide them with the required information and follow-up. Thanks for working with each other.  I appreciate the level of service you've both provided.

            Janet Dixon added a comment - I would like to say thanks to Georg and Hua for their work on this issue.  Georg has really done an outstanding job in resolving and providing assistance to another vendor to help them with their app.  I am surprised that Atlassian hasn't reached out to all vendors who may be affected to  provide them with the required information and follow-up. Thanks for working with each other.  I appreciate the level of service you've both provided.

            Hi Hua Soon,

            we are importing

            import { requestConfluence } from '@forge/bridge'; 

            and then perform the search via

            requestConfluence('/wiki/rest/api/search?...'); 

            After updating @forge/bridge to ^2.1.3 it worked with IP allow list enabled.

            Georg Schmidl added a comment - Hi Hua Soon, we are importing import { requestConfluence } from '@forge/bridge' ; and then perform the search via requestConfluence( '/wiki/ rest /api/search?...' ); After updating @forge/bridge to ^2.1.3 it worked with IP allow list enabled.

            Hi Georg,

            Thanks for the tip, but it did not work for us.

            We also got a 1 review for our Canned Search for Confluence Cloud app because of this bug  😢

            We will be glad to assist the Forge team to get this fixed.

            Hua Soon SIM [Akeles] added a comment - Hi Georg, Thanks for the tip, but it did not work for us. We also got a 1 review for our  Canned Search for Confluence Cloud app because of this bug  😢 We will be glad to assist the Forge team to get this fixed.

            Thanks to you, Georg for being so awesome and having this resolved so quickly for Link Management!  I wish everyone provided such fantastic support!  You rock!

            Janet Dixon added a comment - Thanks to you, Georg for being so awesome and having this resolved so quickly for Link Management!  I wish everyone provided such fantastic support!  You rock!

            Update: We now managed to solve this issue with the IP allowlist for our app “Link Management” by updating “@forge/bridge” to the latest version. It might also work for other app vendors. Thank you, Janet, for staying on top of this  

            Georg Schmidl added a comment - Update: We now managed to solve this issue with the IP allowlist for our app “Link Management” by updating “@forge/bridge” to the latest version. It might also work for other app vendors. Thank you, Janet, for staying on top of this  

            We received a 1-Star review because of this bug. https://marketplace.atlassian.com/apps/1224660/link-management-for-confluence?hosting=cloud&tab=reviews We are very sad 😢

            Georg Schmidl added a comment - We received a 1-Star review because of this bug. https://marketplace.atlassian.com/apps/1224660/link-management-for-confluence?hosting=cloud&tab=reviews We are very sad 😢

            I have this occurring with the add-ons.  Having an IP allowlist also broke the way the Confluence App works in MS Teams too.  This needs to be resolved.  Otherwise, myself and many others who use these add-ons and have an IP allowlist will need to remove the add-ons and not use them anymore.  Sad for Forge.  Fix this Atlassian!  Please!

            Janet Dixon added a comment - I have this occurring with the add-ons.  Having an IP allowlist also broke the way the Confluence App works in MS Teams too.  This needs to be resolved.  Otherwise, myself and many others who use these add-ons and have an IP allowlist will need to remove the add-ons and not use them anymore.  Sad for Forge.  Fix this Atlassian!  Please!

              ecf27a037d15 Aditya Guntupalli
              gtworkowski Guilherme T (Inactive)
              Affected customers:
              18 This affects my team
              Watchers:
              42 Start watching this issue

                Created:
                Updated:
                Resolved: