From 414442db5d0809d09e89ec345c32e41f8a9ec5ab Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Fri, 1 May 2026 14:14:11 -0700 Subject: [PATCH 1/6] fix(oauth): trim Atlassian OAuth scopes to fix CloudFront 414 --- apps/sim/lib/oauth/oauth.ts | 30 +----------------------------- apps/sim/lib/oauth/utils.ts | 1 + 2 files changed, 2 insertions(+), 29 deletions(-) diff --git a/apps/sim/lib/oauth/oauth.ts b/apps/sim/lib/oauth/oauth.ts index 9f12b4c3f60..0d445f0609d 100644 --- a/apps/sim/lib/oauth/oauth.ts +++ b/apps/sim/lib/oauth/oauth.ts @@ -438,10 +438,8 @@ export const OAUTH_PROVIDERS: Record = { icon: ConfluenceIcon, baseProviderIcon: ConfluenceIcon, scopes: [ - 'read:confluence-content.all', 'read:confluence-space.summary', 'read:space:confluence', - 'read:space-details:confluence', 'write:confluence-content', 'write:confluence-space', 'write:confluence-file', @@ -451,7 +449,6 @@ export const OAUTH_PROVIDERS: Record = { 'write:comment:confluence', 'delete:comment:confluence', 'delete:attachment:confluence', - 'read:content:confluence', 'delete:page:confluence', 'read:label:confluence', 'write:label:confluence', @@ -460,21 +457,14 @@ export const OAUTH_PROVIDERS: Record = { 'search:confluence', 'read:me', 'offline_access', - 'read:blogpost:confluence', - 'write:blogpost:confluence', - 'delete:blogpost:confluence', - 'read:content.property:confluence', - 'write:content.property:confluence', 'read:hierarchical-content:confluence', 'read:content.metadata:confluence', 'read:user:confluence', + 'read:confluence-user', 'read:task:confluence', 'write:task:confluence', 'write:space:confluence', 'delete:space:confluence', - 'read:space.property:confluence', - 'write:space.property:confluence', - 'read:space.permission:confluence', ], }, }, @@ -500,16 +490,12 @@ export const OAUTH_PROVIDERS: Record = { 'read:me', 'offline_access', 'read:issue-meta:jira', - 'read:issue-security-level:jira', - 'read:issue.vote:jira', 'read:issue.changelog:jira', 'read:avatar:jira', 'read:issue:jira', 'read:status:jira', 'read:user:jira', - 'read:field-configuration:jira', 'read:issue-details:jira', - 'read:issue-event:jira', 'delete:issue:jira', 'write:comment:jira', 'read:comment:jira', @@ -522,12 +508,6 @@ export const OAUTH_PROVIDERS: Record = { 'delete:issue-worklog:jira', 'write:issue-link:jira', 'delete:issue-link:jira', - 'manage:jira-webhook', - 'read:webhook:jira', - 'write:webhook:jira', - 'delete:webhook:jira', - 'read:issue.property:jira', - 'read:comment.property:jira', 'read:jql:jira', 'read:field:jira', // Jira Service Management scopes @@ -537,20 +517,12 @@ export const OAUTH_PROVIDERS: Record = { 'write:request:jira-service-management', 'read:request.comment:jira-service-management', 'write:request.comment:jira-service-management', - 'read:customer:jira-service-management', - 'write:customer:jira-service-management', 'read:servicedesk.customer:jira-service-management', 'write:servicedesk.customer:jira-service-management', 'read:organization:jira-service-management', 'write:organization:jira-service-management', 'read:servicedesk.organization:jira-service-management', 'write:servicedesk.organization:jira-service-management', - 'read:organization.user:jira-service-management', - 'write:organization.user:jira-service-management', - 'read:organization.property:jira-service-management', - 'write:organization.property:jira-service-management', - 'read:organization.profile:jira-service-management', - 'write:organization.profile:jira-service-management', 'read:queue:jira-service-management', 'read:request.sla:jira-service-management', 'read:request.status:jira-service-management', diff --git a/apps/sim/lib/oauth/utils.ts b/apps/sim/lib/oauth/utils.ts index 5db26dbc0d1..a2e3e453d27 100644 --- a/apps/sim/lib/oauth/utils.ts +++ b/apps/sim/lib/oauth/utils.ts @@ -70,6 +70,7 @@ export const SCOPE_DESCRIPTIONS: Record = { 'read:hierarchical-content:confluence': 'View page hierarchy (children and ancestors)', 'read:content.metadata:confluence': 'View content metadata (required for ancestors)', 'read:user:confluence': 'View Confluence user profiles', + 'read:confluence-user': 'View Confluence user profiles (v1 API)', 'read:task:confluence': 'View Confluence inline tasks', 'write:task:confluence': 'Update Confluence inline tasks', 'delete:blogpost:confluence': 'Delete Confluence blog posts', From 3030b4d0cea9c49481ddbe306695d4b46da4ac24 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Fri, 1 May 2026 15:24:42 -0700 Subject: [PATCH 2/6] fix(oauth): restore Confluence scopes whose tools are still active --- apps/sim/lib/oauth/oauth.ts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/apps/sim/lib/oauth/oauth.ts b/apps/sim/lib/oauth/oauth.ts index 0d445f0609d..9f1c1b0f9e1 100644 --- a/apps/sim/lib/oauth/oauth.ts +++ b/apps/sim/lib/oauth/oauth.ts @@ -438,6 +438,7 @@ export const OAUTH_PROVIDERS: Record = { icon: ConfluenceIcon, baseProviderIcon: ConfluenceIcon, scopes: [ + 'read:confluence-content.all', 'read:confluence-space.summary', 'read:space:confluence', 'write:confluence-content', @@ -465,6 +466,14 @@ export const OAUTH_PROVIDERS: Record = { 'write:task:confluence', 'write:space:confluence', 'delete:space:confluence', + 'read:blogpost:confluence', + 'write:blogpost:confluence', + 'delete:blogpost:confluence', + 'read:content.property:confluence', + 'write:content.property:confluence', + 'read:space.property:confluence', + 'write:space.property:confluence', + 'read:space.permission:confluence', ], }, }, From 9d93e3bd829f967f001bc90a207bed356b437076 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Fri, 1 May 2026 15:32:57 -0700 Subject: [PATCH 3/6] fix(oauth): add JSM Forms scopes for form tools --- apps/sim/lib/oauth/oauth.ts | 3 +++ apps/sim/lib/oauth/utils.ts | 3 +++ 2 files changed, 6 insertions(+) diff --git a/apps/sim/lib/oauth/oauth.ts b/apps/sim/lib/oauth/oauth.ts index 9f1c1b0f9e1..769fb2b0bca 100644 --- a/apps/sim/lib/oauth/oauth.ts +++ b/apps/sim/lib/oauth/oauth.ts @@ -540,6 +540,9 @@ export const OAUTH_PROVIDERS: Record = { 'write:request.participant:jira-service-management', 'read:request.approval:jira-service-management', 'write:request.approval:jira-service-management', + 'read:form:jira-service-management', + 'write:form:jira-service-management', + 'delete:form:jira-service-management', ], }, }, diff --git a/apps/sim/lib/oauth/utils.ts b/apps/sim/lib/oauth/utils.ts index a2e3e453d27..4c38f8949a0 100644 --- a/apps/sim/lib/oauth/utils.ts +++ b/apps/sim/lib/oauth/utils.ts @@ -201,6 +201,9 @@ export const SCOPE_DESCRIPTIONS: Record = { 'Add and remove participants from customer requests', 'read:request.approval:jira-service-management': 'View approvals on customer requests', 'write:request.approval:jira-service-management': 'Approve or decline customer requests', + 'read:form:jira-service-management': 'View JSM forms and templates', + 'write:form:jira-service-management': 'Attach, save, and submit JSM forms', + 'delete:form:jira-service-management': 'Delete JSM forms', // Microsoft scopes 'User.Read': 'Read Microsoft user', From 0250e905c243cce1003c119c638c1107098783b7 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Fri, 1 May 2026 15:39:37 -0700 Subject: [PATCH 4/6] fix(oauth): restore read:issue.vote:jira scope Jira issue retrieve tool reads fields.votes.votes and fields.votes.hasVoted from the GET /rest/api/3/issue payload, which requires the read:issue.vote:jira granular scope. Restoring to prevent vote data from being omitted in retrieve responses. --- apps/sim/lib/oauth/oauth.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/sim/lib/oauth/oauth.ts b/apps/sim/lib/oauth/oauth.ts index 769fb2b0bca..b6c4d4e61ac 100644 --- a/apps/sim/lib/oauth/oauth.ts +++ b/apps/sim/lib/oauth/oauth.ts @@ -500,6 +500,7 @@ export const OAUTH_PROVIDERS: Record = { 'offline_access', 'read:issue-meta:jira', 'read:issue.changelog:jira', + 'read:issue.vote:jira', 'read:avatar:jira', 'read:issue:jira', 'read:status:jira', From dc8094fedee2500579d9334c0ca92352fc9f8384 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Fri, 1 May 2026 15:55:16 -0700 Subject: [PATCH 5/6] fix(oauth): drop redundant Jira granular scopes covered by classic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Atlassian recommends <50 scopes per OAuth app to keep authorize URLs under URL-length limits. Drops 20 granular Jira read/write scopes that are subsumed by the classic read:jira-work / write:jira-work scopes already in the list. Existing user tokens are unaffected — Atlassian refresh keeps originally-granted scopes; the trimmed list only applies to new authorizations. Kept granular scopes: delete:* (no classic equivalent) and JSM granular scopes (separate scope family). --- apps/sim/app/api/tools/jira/issues/route.ts | 4 ++-- apps/sim/lib/oauth/oauth.ts | 20 -------------------- 2 files changed, 2 insertions(+), 22 deletions(-) diff --git a/apps/sim/app/api/tools/jira/issues/route.ts b/apps/sim/app/api/tools/jira/issues/route.ts index c0d7d39f8a5..34e92befb13 100644 --- a/apps/sim/app/api/tools/jira/issues/route.ts +++ b/apps/sim/app/api/tools/jira/issues/route.ts @@ -82,7 +82,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => { { error: errorMessage, authRequired: true, - requiredScopes: ['read:jira-work', 'read:project:jira'], + requiredScopes: ['read:jira-work'], }, { status: response.status } ) @@ -202,7 +202,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => { { error: errorMessage, authRequired: true, - requiredScopes: ['read:jira-work', 'read:project:jira'], + requiredScopes: ['read:jira-work'], }, { status: response.status } ) diff --git a/apps/sim/lib/oauth/oauth.ts b/apps/sim/lib/oauth/oauth.ts index b6c4d4e61ac..dfb0c08a166 100644 --- a/apps/sim/lib/oauth/oauth.ts +++ b/apps/sim/lib/oauth/oauth.ts @@ -493,33 +493,13 @@ export const OAUTH_PROVIDERS: Record = { 'read:jira-user', 'read:jira-work', 'write:jira-work', - 'write:issue:jira', - 'read:project:jira', - 'read:issue-type:jira', 'read:me', 'offline_access', - 'read:issue-meta:jira', - 'read:issue.changelog:jira', - 'read:issue.vote:jira', - 'read:avatar:jira', - 'read:issue:jira', - 'read:status:jira', - 'read:user:jira', - 'read:issue-details:jira', 'delete:issue:jira', - 'write:comment:jira', - 'read:comment:jira', 'delete:comment:jira', - 'read:attachment:jira', - 'write:attachment:jira', 'delete:attachment:jira', - 'write:issue-worklog:jira', - 'read:issue-worklog:jira', 'delete:issue-worklog:jira', - 'write:issue-link:jira', 'delete:issue-link:jira', - 'read:jql:jira', - 'read:field:jira', // Jira Service Management scopes 'read:servicedesk:jira-service-management', 'read:requesttype:jira-service-management', From c1907e037cd4eb8ccd53bd3bead20e4100860b64 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Fri, 1 May 2026 16:14:00 -0700 Subject: [PATCH 6/6] fix(oauth): re-add read:issue.vote:jira to match PR description Bugbot flagged that the previous classic-scope collapse dropped this granular scope while the PR description still claimed it was restored. Classic read:jira-work covers vote reads, but adding the granular explicitly keeps the description, code, and intent aligned. --- apps/sim/lib/oauth/oauth.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/sim/lib/oauth/oauth.ts b/apps/sim/lib/oauth/oauth.ts index dfb0c08a166..c159b94fc5d 100644 --- a/apps/sim/lib/oauth/oauth.ts +++ b/apps/sim/lib/oauth/oauth.ts @@ -495,6 +495,7 @@ export const OAUTH_PROVIDERS: Record = { 'write:jira-work', 'read:me', 'offline_access', + 'read:issue.vote:jira', 'delete:issue:jira', 'delete:comment:jira', 'delete:attachment:jira',