Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1442

Forge app `asApp` requests fail when IP allowlist is enabled.

XMLWordPrintable

      Issue Summary

      When using apps (add-ons) developed with Forge, the apps making asApp() requests may not work as expected if the user has IP Allowlisting enabled. The list of allowed IP addresses are listed in https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/#Outgoing-Connections and the announcement was documented in

      • https://developer.atlassian.com/changelog/#CHANGE-1168 
        18.236.52.165/32
34.215.254.205/32
35.160.6.102/32
52.43.192.52/32
52.89.100.78/32
54.190.195.254/32
54.214.155.219/32
54.218.196.28/32
        Important

        If you plan to use these IP address ranges, it’s important that you monitor Atlassian’s documentation for changes to this range. A JSON file containing this information is published to https://ip-ranges.atlassian.com/, which may aid automation.

      Steps to Reproduce

      1. Create/ install an app built with Forge;
      2. Try to use the app on a site where IPAllowlisting is enabled;

      Any asApp() requests will be blocked by IP Allowlisting.

      Expected Results

      The app should work without problems.

      Actual Results

      App using asApp() requests, throw an error and the app doesn't work at all.

      Workaround

      You can get the full list of IP addresses via

      curl --silent https://ip-ranges.atlassian.com | jq --raw-output '[.items[] | select(.product[] | . == "forge") | .cidr][]'

            [ACCESS-1442] Forge app `asApp` requests fail when IP allowlist is enabled.

            Salah Khamassi added a comment -

            Hi, 

            The solution for Forge app by adding the IPs shared by Atlassian https://developer.atlassian.com/platform/forge/changelog/#CHANGE-1168 works only on Forge plateforms but not for Forge Remote. 

            Forge Remote will have another IPs and domains, and generally it is not a fixed IPs . So the solution would be having the IP AllowList for Jira premium accepting  also a domain, like what a Firewall allows to (IPs and domains)

            Salah Khamassi added a comment - Hi,  The solution for Forge app by adding the IPs shared by Atlassian https://developer.atlassian.com/platform/forge/changelog/#CHANGE-1168 works only on Forge plateforms but not for Forge Remote.  Forge Remote will have another IPs and domains, and generally it is not a fixed IPs . So the solution would be having the IP AllowList for Jira premium accepting  also a domain, like what a Firewall allows to (IPs and domains)

            Mike Epstein added a comment -

            fixed according to jrichards@atlassian.com  see : https://jira.atlassian.com/browse/ACCESS-1442?focusedId=3529621&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-3529621

            Mike Epstein added a comment - fixed according to jrichards@atlassian.com   see : https://jira.atlassian.com/browse/ACCESS-1442?focusedId=3529621&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-3529621

            Ignacio Vera added a comment -

            Isn't this fixed?

            https://ecosystem.atlassian.net/browse/FRGE-634 

            Ignacio Vera added a comment - Isn't this fixed? https://ecosystem.atlassian.net/browse/FRGE-634  

            Dario Sardo added a comment - - edited

            Hi,
            I had this problem after using

            runtime:
                 name: nodejs18.x

            If you don't need it, you can delete it and should be working fine

            Dario Sardo added a comment - - edited Hi, I had this problem after using runtime:      name: nodejs18.x If you don't need it, you can delete it and should be working fine

            Bernhard Gruenewaldt added a comment -

            This affects our app and customers as well.

            Bernhard Gruenewaldt added a comment - This affects our app and customers as well.

            新井 聡 added a comment -

            By setting the IP allow list in the URL, the app appears to work properly.

            https://developer.atlassian.com/platform/forge/changelog/#CHANGE-1168

            新井 聡 added a comment - By setting the IP allow list in the URL, the app appears to work properly. https://developer.atlassian.com/platform/forge/changelog/#CHANGE-1168

            Armin Meyer (Seibert - Coderay) added a comment -

            We found a solution that works for our developed Forge App.

            If you add the given IP-Ranges from here to the allowlist it works:

            https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/#Outgoing-Connections

            Armin Meyer (Seibert - Coderay) added a comment - We found a solution that works for our developed Forge App. If you add the given IP-Ranges from here to the allowlist it works: https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/#Outgoing-Connections

            Safura Isayeva added a comment -

            +1

            Safura Isayeva added a comment - +1

            Armin Meyer (Seibert - Coderay) added a comment -

            We are facing the same problem.

            Armin Meyer (Seibert - Coderay) added a comment - We are facing the same problem.

            Jakub Potoczek added a comment -

            The same issue appears with the AWS Service Management Connector plugin. If the IP whitelist is enabled, this plugin doesn't work."

            Jakub Potoczek added a comment - The same issue appears with the AWS Service Management Connector plugin. If the IP whitelist is enabled, this plugin doesn't work."

              341ae4134520 Bernie Wang
              ecf27a037d15 Aditya Guntupalli
              Affected customers:
              44 This affects my team
              Watchers:
              54 Start watching this issue

                Created:
                Updated:
                Resolved: