Issue Summary

The user/picker endpoint returns empty results depending on the number of scopes used by the app. This only happens when impersonating a user while interacting with the endpoint.

Steps to Reproduce

1. Create a Forge app
2. Add 42 scopes to the manifest, as in the example below:

       - act-as-user:connect-jira
       - read:connect-jira
       - access-email-addresses:connect-jira
       - read:audit-log:jira
       - read:user-configuration:jira
       - write:user-configuration:jira
       - read:user:jira
       - read:jira-user
       - read:avatar:jira
       - read:group:jira
       - read:email-address:jira
       - read:app-data:jira
       - read:license:jira
       - write:app-data:jira
       - read:app-user-token
       - read:app-system-token
       - read:jira-work
       - read:board-scope:jira-software
       - read:board-scope.admin:jira-software
       - read:sprint:jira-software
       - read:project:jira
       - read:project-role:jira
       - read:project-category:jira
       - read:servicedesk-request
       - read:customer:jira-service-management
       - read:knowledgebase:jira-service-management
       - read:organization:jira-service-management
       - read:organization.property:jira-service-management
       - read:organization.user:jira-service-management
       - read:servicedesk.organization:jira-service-management
       - read:servicedesk.customer:jira-service-management
       - read:request:jira-service-management
       - read:request.approval:jira-service-management
       - read:request.attachment:jira-service-management
       - read:request.comment:jira-service-management
       - read:request.notification:jira-service-management
       - read:request.participant:jira-service-management
       - read:request.sla:jira-service-management
       - read:request.status:jira-service-management
       - read:request.feedback:jira-service-management
       - read:issue-details:jira
       - read:jql:jira
       - read:cmdb-object:jira
       - read:cmdb-schema:jira
       - read:cmdb-type:jira
       - read:cmdb-attribute:jira
   

3. Attempt to fetch data from the use/picker endpoint while impersonating a user:

       const response = await api.asUser().requestJira(route`/rest/api/3/user/picker?query=<Search-Query>`, {
           headers: {
               'Accept': 'application/json'
           }
       });
       const data = await response.json();
       console.log(data);
   

Expected Results

The users are found and returned to the app.

Actual Results

The app receives an empty object in the response:

{ users: [], total: 0, header: 'Showing 0 of 0 matching users' }

Note: this affects requests executed directly from a Forge app backend as well as remote backends, such as Connect apps using the ACSB framework. Another important aspect is that the number of scopes used to reproduce the issue is below the Forge platform limit, which is 50 at the moment.

Workaround

Execute the request asApp() instead of asUser() or remove one of the scopes.