Uploaded image for project: 'Identity'
  1. Identity
  2. ID-8490

Ability to determine sites that have already been both authenticated and authorized via endpoints

    XMLWordPrintable

Details

    • 1

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Issue Summary

      Currently, the https://api.atlassian.com/oauth/token/accessible-resources endpoint shows which sites are authorized for the app, but each site in the accessible resource array also needs someone to go through the OAuth flow. 

      It would be great if there was an endpoint that shows which cloud ID is authorized and authenticated. As of now, the accessible_resources displays which sites can be authenticated, not which sites are authenticated.

      Example of a response for https://api.atlassian.com/oauth/token/accessible-resources:

      [
  {
        "id": "0000",
        "url": "https://testsite0.com", // user **did not** authenticate for this site, we are unable to get logs from this site.
        "name": "test0",
        "scopes": [
            "read:audit-log:confluence"
        ],
        "avatarUrl": "test0.png"
    },{
        "id": "1111", // user **did** authenticate for this site, we want to make requests with this id
        "url": "https://testsite1.com", // How can we tell this url was authorized for on the screen
        "name": "test1",
        "scopes": [
            "read:audit-log:jira"
        ],
        "avatarUrl": "test1.png"
    }
}
]

      Suggestion

      Either create a new endpoint to return which cloud_ids are authorized and authenticated or add a boolean to the existing endpoint for whether or not a site is authenticated, to avoid unnecessary calls.

      Workaround

      The workaround would be to make requests to each accessible resource and see which returns 200. When the user who performed the OAuth flow is not an admin, the response is 403.

      Additionally, other endpoints could be used to interrogate the user’s permissions. For example, the client can get current user using GET /rest/api/3/myself with ?expand=groups,applicationRoles. However, that alone expands the scopes the app needs (read:jira-user) without actually fixing anything. Therefore, perhaps the best error message that could be provided is in the Jira Platform REST API docs 1:

      Permissions required: Administer Jira global permission.

      Propagate that message with links, might be the best chance users will have to get an admin to perform the action.

      Attachments

        Activity

          People

            Unassigned Unassigned
            119d25e0f528 Gabi Paludo
            Votes:
            11 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: