Support for Atlassian Service Account AAID discovery in Forge Remote offline user auth token impersonation flow to enable service accounts as valid impersonated identities.

XMLWordPrintable

      Issue Summary

      Forge Remote offline user auth token (offlineUserAuthToken GraphQL mutation) does not support Atlassian Service Accounts as the impersonated identity. When a Forge Remote app generates an offline user auth token for a service account and uses it to call Jira REST APIs via Authorization: Bearer <token>, the request is rejected with HTTP 401.
      This is caused by the Atlassian Identity system's inability to discover and validate the Account ID (AAID) for Service Accounts during Stargate's OAuth token validation.

      Workaround

      Use OAuth 2.0 client credentials for service account API calls instead of the Forge Remote offline user auth token:
      Reference: https://support.atlassian.com/user-management/docs/create-oauth-2-0-credential-for-service-accounts/  

      Limitations of the workaround:

      •  Does not provide per-user audit trail (all actions attributed to the OAuth app, not the service account identity)
      •  Does not integrate with Forge Remote's impersonation mechanism
      •  Requires additional OAuth credential management outside of Forge

              Assignee:
              Unassigned
              Reporter:
              Sumit Uniyal
              Votes:
              7 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: