Trouble with Scopes in User-Agent Authorization

alexgalasso · January 24, 2022, 4:10pm

Hi,
I’m trying to use the API Connector User Agent Authorization to allow users to authorize themselves with Atlassian (Jira).

I’ve set everything up as follows:

However, when I go to execute the Login/Signup Using a Social Login workflow, Jira is telling me no valid Scopes have been selected. See below…

But it should look like this:

Here is the oAuth Jira documentation: https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/

Here is the list of Scopes: https://developer.atlassian.com/cloud/jira/platform/scopes-for-connect-and-oauth-2-3LO-apps/

Appreciate everyone’s help here.

Jici · January 24, 2022, 5:50pm

In your App in your dev account in Atlassian, did you add permissions? they need to be added there first.

alexgalasso · January 24, 2022, 6:06pm

Hey @Jici, I’ve added them there first. Do the Scopes need to match exactly the ones listed in the Bubble API? I figure it doesn’t since it’ll use only the ones that are listed.

I feel like my mistake is on the Bubble side, since it’s redirecting me to the auth page, but not passing through the proper scopes.

Jici · January 24, 2022, 6:08pm

Did you try to url encode them directly in API Connector?
Like: read%3Ajira-user%20read%3Ajira-work

alexgalasso · January 24, 2022, 6:17pm

Yah, just tried the following combinations:

read%3Ajira-user%20read%3Ajira-work
scope=read%3Ajira-user%20read%3Ajira-work
?scope=read%3Ajira-user%20read%3Ajira-work
-&scope=read%3Ajira-user%20read%3Ajira-work

No luck unfortunately…

Jici · January 24, 2022, 6:19pm

What I suggest is: Put the initial setting you have tried. Click on the button to login and copy the url here. It will be easier to inspect if there’s any error when bubble create the authorize url

alexgalasso · January 24, 2022, 6:22pm

This is the link I get https://api.atlassian.com/oauth2/authorize/consent?state=hKFo2SBDellCX2RSMjZ0dkZkLTdoTXNmMnpmNHNJdXo0Tngwa6Fup2NvbnNlbnSjdGlk2SBSNER0YjM0OVVyM2VYSVE4dDhaQjAta01GcFI5c3h3aaNjaWTZIHA0bUZid3pJTThZQnUwRmNabURTajNNd1h4MGFXamEw

Jici · January 24, 2022, 6:24pm

I see there’s problably some missing info like audience that is a requested parameter
Try to add ?audience=api.atlassian.com&prompt=consent at the authorize url

The url you post have consent not at the correct place and I don’t see any scope, but it’s not impossible that you get redirected. It may be more complex to debug

alexgalasso · January 24, 2022, 6:26pm

Yes, this is the URL I get before the redirect I sent you above.

https://auth.atlassian.com/login?state=hKFo2SBFUFllRElRTzlrRi03SVpWdzZ4ZlA5dzhYMC0xQTVHQaFupWxvZ2luo3RpZNkgOEZaWnFrQmdZUGNuYVVWak5EN2lhYVJZU0ZUdjhhYnWjY2lk2SBwNG1GYnd6SU04WUJ1MEZjWm1EU2ozTXdYeDBhV2phMA&client=p4mFbwzIM8YBu0FcZmDSj3MwXx0aWja0&protocol=oauth2&redirect_uri=https%3A%2F%2Fopsbunny.com%2Fversion-test%2Fsettings%3Fdebug_mode%3Dtrue&response_type=code&scope=read%3Auser-jira%20read%3Ajira-work%20write%3Ajira-work

Jici · January 24, 2022, 6:31pm

For me it’s not working but if you try this
https://auth.atlassian.com/login?state=hKFo2SBFUFllRElRTzlrRi03SVpWdzZ4ZlA5dzhYMC0xQTVHQaFupWxvZ2luo3RpZNkgOEZaWnFrQmdZUGNuYVVWak5EN2lhYVJZU0ZUdjhhYnWjY2lk2SBwNG1GYnd6SU04WUJ1MEZjWm1EU2ozTXdYeDBhV2phMA&client=p4mFbwzIM8YBu0FcZmDSj3MwXx0aWja0&protocol=oauth2&redirect_uri=https%3A%2F%2Fopsbunny.com%2Fversion-test%2Fsettings%3Fdebug_mode%3Dtrue&response_type=code&scope=read%3Auser-jira%20read%3Ajira-work%20write%3Ajira-work&audience=api.atlassian.com

(just added audience)

You may see something different
However, this link may also be a redirected one because I don’t see the authorize url at first.
I have set the Jira API in the past but I don’t remember exactly how and I don’t have my example for it anymore

alexgalasso · January 24, 2022, 6:37pm

I see what you’re trying to do, and I’ll keep poking around to see if I can rebuild the link as it’s supposed to be. It feels super close. Appreciate your help.

Also, I’m in Quebec too

Jici · January 24, 2022, 6:39pm

Parfait! I’m sure you are not far from getting it work

alexgalasso · January 24, 2022, 10:23pm

I think I got it haha… you were right… add the below and it worked… testing now to see but unblocked for now. GROS MERCI!

alexgalasso · January 27, 2022, 1:12pm

@Jici quick follow up question, if you don’t mind

The oAuth2.0 is working great, and using the Signup with Social Login workflow, I am able to successfully have the user complete the full trip.

The issue now is that my calls were setup using Basic Auth, which seems, is not recommended or supported by Atlassian for what I want to do. When I try to execute my call, I’m getting a 401 error.

As per the documentation, this is what the post request should look like:
curl --request POST
–url ‘https://your-domain.atlassian.net/rest/api/3/issue’
–user ‘[email protected]:<api_token>’
–header ‘Accept: application/json’
–header ‘Content-Type: application/json’ \

And this is within my bubble currently:

I believe the issue is that the " --user ‘[email protected]:<api_token>’ " is not in the bubble request. Would you have any ideas how to add it?

Jici · January 27, 2022, 1:16pm

You want to use basic auth for this endpoint and not the oAuth2?
Did you create a new API (not just a new call. You need to separate the auth. Some API will not accept your call if you have two auth header)
Did you use the Basic auth in Bubble?

alexgalasso · January 27, 2022, 1:31pm

I would like to use oAuth2.
Currently, the authentication and the calls are all in one api. Should I separate them and set the Authentication field to None/Self-Handled?

Jici · January 27, 2022, 1:34pm

If you use oAuth2, why do you try to use basic auth? I’m a little bit lost on what you are trying to do and the confusion between the two auth you want to use

alexgalasso · January 27, 2022, 1:40pm

Sorry for the confusion. I should not have mentioned the Basic Auth, as it was something that was done by someone else. According to the Jira documentation, they highly recommend oAuth2, and because I’m building an enterprise product, extra security is what I’ll need.

And right now, all the calls are within the oAuth2 api.

Jici · January 27, 2022, 1:48pm

The first thing to check is if your authorization for API Connector is expired. Bubble doesn’t refresh the authorization for the API connector automatically. After the access token is expired, you will not be able to initialize call before you reauth in dev debug mode.

Second thing to check is to be sure the authorization scopes allow you to call the endpoint. In this case, user need to allow write:jira-work scope for this endpoint

alexgalasso · January 27, 2022, 2:22pm

Yah, I was able to approve it in debug mode, and get the token.

I also have write:ira-work in the URL.

It seems the problem is that the user token is not being passed along with the individual call to ‘create a ticket’ and therefore is failing because I’m unauthorized. I’m not sure how to pass along the valid token, from the oAuth, to the individual call. I think once I can figure that out, it’ll work.

You mentioned that the calls should be in a separate api? (They are in the same one now).

The other option I’m thinking is trying to add the query on ‘https://opsbunny.atlassian.net/rest/api/3/issue’ like '?code=<access_token>" but that hasn’t really paid off yet. Do both the user’s email and token need to be passed through to validate the oauth2? In that case maybe a ‘?email=&code=<access_token>’ does the trick. What do you think?