-
Suggestion
-
Resolution: Unresolved
-
2
-
Issue Summary
Currently, the https://api.atlassian.com/oauth/token/accessible-resources endpoint shows which sites are authorized for the app, but each site in the accessible resource array also needs someone to go through the OAuth flow.
It would be great if there was an endpoint that shows which cloud ID is authorized and authenticated. As of now, the accessible_resources displays which sites can be authenticated, not which sites are authenticated.
Example of a response for https://api.atlassian.com/oauth/token/accessible-resources:
[
{
"id": "0000",
"url": "https://testsite0.com", // user **did not** authenticate for this site, we are unable to get logs from this site.
"name": "test0",
"scopes": [
"read:audit-log:confluence"
],
"avatarUrl": "test0.png"
},{
"id": "1111", // user **did** authenticate for this site, we want to make requests with this id
"url": "https://testsite1.com", // How can we tell this url was authorized for on the screen
"name": "test1",
"scopes": [
"read:audit-log:jira"
],
"avatarUrl": "test1.png"
}
}
]
Suggestion
Either create a new endpoint to return which cloud_ids are authorized and authenticated or add a boolean to the existing endpoint for whether or not a site is authenticated, to avoid unnecessary calls.
Workaround
The workaround would be to make requests to each accessible resource and see which returns 200. When the user who performed the OAuth flow is not an admin, the response is 403.
Additionally, other endpoints could be used to interrogate the user’s permissions. For example, the client can get current user using GET /rest/api/3/myself with ?expand=groups,applicationRoles. However, that alone expands the scopes the app needs (read:jira-user) without actually fixing anything. Therefore, perhaps the best error message that could be provided is in the Jira Platform REST API docs 1:
Permissions required: Administer Jira global permission.
Propagate that message with links, might be the best chance users will have to get an admin to perform the action.
Ability to determine sites that have already been both authenticated and authorized via endpoints
-
-
Resolution: Unresolved
-
2
-
Issue Summary
Currently, the https://api.atlassian.com/oauth/token/accessible-resources endpoint shows which sites are authorized for the app, but each site in the accessible resource array also needs someone to go through the OAuth flow.
It would be great if there was an endpoint that shows which cloud ID is authorized and authenticated. As of now, the accessible_resources displays which sites can be authenticated, not which sites are authenticated.
Example of a response for https://api.atlassian.com/oauth/token/accessible-resources:
[
{
"id": "0000",
"url": "https://testsite0.com", // user **did not** authenticate for this site, we are unable to get logs from this site.
"name": "test0",
"scopes": [
"read:audit-log:confluence"
],
"avatarUrl": "test0.png"
},{
"id": "1111", // user **did** authenticate for this site, we want to make requests with this id
"url": "https://testsite1.com", // How can we tell this url was authorized for on the screen
"name": "test1",
"scopes": [
"read:audit-log:jira"
],
"avatarUrl": "test1.png"
}
}
]
Suggestion
Either create a new endpoint to return which cloud_ids are authorized and authenticated or add a boolean to the existing endpoint for whether or not a site is authenticated, to avoid unnecessary calls.
Workaround
The workaround would be to make requests to each accessible resource and see which returns 200. When the user who performed the OAuth flow is not an admin, the response is 403.
Additionally, other endpoints could be used to interrogate the user’s permissions. For example, the client can get current user using GET /rest/api/3/myself with ?expand=groups,applicationRoles. However, that alone expands the scopes the app needs (read:jira-user) without actually fixing anything. Therefore, perhaps the best error message that could be provided is in the Jira Platform REST API docs 1:
Permissions required: Administer Jira global permission.
Propagate that message with links, might be the best chance users will have to get an admin to perform the action.
-
Unassigned
-
Gabi Paludo
- Votes:
-
18 Vote for this issue
- Watchers:
-
9 Start watching this issue
- Created:
- Updated: