Hey Digald, thanks heaps for that was super super helpful!

Just one thing I want to check regarding this quote: 

'The installed and uninstalled lifecycle callbacks accidentally include the query parameter user_key. This field will be removed. Apps using JWT authentication should instead use the user context from the JWT token.'

It doesn't mention if it will include the accountID instead of the user key. Is this part of using opt into.

Hi @Phil_Dimeski,

Yes, the JWT token will contain the accountID. 

Regards,

Dugald

So I have been playing around with this and have enabled the follow in my app descriptor: 

 "apiMigrations": {
      "gdpr": true
 }

When I test using the connect-inspector the /installed event has the payload show below. Notice the user_account_id in the query parameter. This value is not provided for my apps /installed  event. Is this supposed to happen?

I know the user_account_id is in the jwt token under sub but I want to make sure that I am not missing something cause it would be easier to get it from the query parameters.

@Dugald Morrow , I'm also facing similar issue.
As per JIRA documentation, https://developer.atlassian.com/cloud/jira/software/security-for-connect-apps/
We will not be receiving Authorization header with JWT token during the first install.
But, our app is dependent on user_account_id parameter received in /installed event.

We have stopped receiving this parameter for /installed event.

Here is a part of our app-descriptor file:

    "authentication": {
        "type": "jwt"
    },
    "apiMigrations": {
        "gdpr": true
    },
    "scopes": [
        "READ", "ACCESS_EMAIL_ADDRESSES"
    ],

    "lifecycle": {
        "installed": "/integrations/jira/installed",
        "uninstalled": "/integrations/jira/uninstalled"
    }

I just tested this using the https://connect-inspector.services.atlassian.com/ and I see the user_account_id query parameter is being passed to the installed end point. Maybe you can try testing this using the Connect inspector also?

Thanks for the quick response @Dugald Morrow . 
We are receiving user_account_id query parameter for few customers. But for few customers installed callback we are not receiving this parameter. 
Is there any setting on JIRA which can block sharing user_account_id with installed App?

Hi @Memory Team ,

This seems strange. I don't think there are any Jira settings that affect whether the user_account_id parameter is provided. Are you able to reproduce this?

Regards,

Dugald

Hi @Dugald Morrow ,

I'm also not able to reproduce this issue. When I try with my workspace I always get either user_account_id or JWT token.

But, last week I saw quite a few /installed requests from JIRA to our App which were missing either user_account_id in query parameter or JWT token in the header. Hence, I was wondering if this is something to do with our recent change of reducing the scopes.

Thanks for the help!

Hi @Memory Team ,

There are two parts to this:

1. Missing user_account_id: This may occur when Marketplace upgrades an app installation after detecting changes to the app descriptor. Is your app listed in Marketplace and did you make changes to the app descriptor?
2. Missing JWT token: The first installation of an app in a tenant is not signed with a JWT token, but subsequent installations are.

Regards,

Dugald

Hi @Dugald Morrow ,

1. Yes, our App is listed in Marketplace and recently we changed app descriptor to reduce the scopes.
 2. Right, we have already taken care of the JWT token.

From last 2 days we have started receiving user_account_id in parameters.

But now, when we are calling following API to get user's email:

GET /rest/api/3/user/email?accountId={accountId}

We are getting 401 Unauthorized error with HTML response.
We are calling this API as documented here (https://developer.atlassian.com/cloud/jira/platform/rest/v3/?_ga=2.238660480.1263124937.1593510644-624183373.1586256627#api-rest-api-3-user-email-get)

We are creating JWT token and passing it in the header for authentication.

Thanks for your help!

Hi @Memory Team ,

This is now a new problem so it would be better to start a new thread for this. In addition, development questions should be raised in https://community.developer.atlassian.com/.

To retrieve a user's email address, your app needs the ACCESS_EMAIL_ADDRESSES scope. Does your app have this scope? If not, you need to apply at https://ecosystem.atlassian.net/servicedesk/customer/portal/14/group/63/create/284.

Regards,

Dugald

Hi @Dugald Morrow ,

Thanks for the response.

Yes, we have ACCESS_EMAIL_ADDRESSES scope added to our App and also receiving email address for few customers which install our App.

But, for few customers we are getting this error. I was wondering if there any setting in JIRA which blocks users from sharing email address with installed apps?

I will start new thread for tracking this issue.

Thanks for your help!