See https://discourse.phabricator-community.org/t/jiraauthprovider-no-longer-finds-accountid/3557/.
See also:
- (Migration1) https://developer.atlassian.com/cloud/jira/platform/connect-app-migration-guide/
- (Migration2) https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-user-privacy-api-migration-guide/
JIRA has changed its API from returning a key (like alice@mycompany.com) to identify user accounts to returning an accountId (like a1b2c3d4).
During this change, some versions of JIRA returned both identifiers. However, we can not control which versions of JIRA installs run, and installs may upgrade from a key-only version directly to an accountId-only version without ever running any intermediate version.
In modern versions of JIRA, there does not appear to be any way to look up the key for a given accountId, or to look up the accountId for a given key. The "Migration1" document above suggests using the /rest/api/2/user/ endpoint, presumably with an administrator key, to remap accounts. However:
- since we're a pure client OAuth application, we don't have an administrator key to perform this iteration;
- modern JIRA does not return a key at all, so we can't remap at auth time;
array(11) { ["self"]=> string(91) "https://team-1582140698571.atlassian.net/rest/api/2/user?accountId=5e4d8d1b052b790c9750c4d2" ["accountId"]=> string(24) "5e4d8d1b052b790c9750c4d2" ["accountType"]=> string(9) "atlassian" ["avatarUrls"]=> array(4) { ["48x48"]=> string(181) "https://secure.gravatar.com/avatar/559c2575fdb8f1c358412de7a86a6a38?d=https%3A%2F%2Favatar-management--avatars.us-west-2.prod.public.atl-paas.net%2Fdefault-avatar-4.png&size=48&s=48" ["24x24"]=> string(181) "https://secure.gravatar.com/avatar/559c2575fdb8f1c358412de7a86a6a38?d=https%3A%2F%2Favatar-management--avatars.us-west-2.prod.public.atl-paas.net%2Fdefault-avatar-4.png&size=24&s=24" ["16x16"]=> string(181) "https://secure.gravatar.com/avatar/559c2575fdb8f1c358412de7a86a6a38?d=https%3A%2F%2Favatar-management--avatars.us-west-2.prod.public.atl-paas.net%2Fdefault-avatar-4.png&size=16&s=16" ["32x32"]=> string(181) "https://secure.gravatar.com/avatar/559c2575fdb8f1c358412de7a86a6a38?d=https%3A%2F%2Favatar-management--avatars.us-west-2.prod.public.atl-paas.net%2Fdefault-avatar-4.png&size=32&s=32" } ["displayName"]=> string(9) "ASDF 1234" ["active"]=> bool(true) ["timeZone"]=> string(19) "America/Los_Angeles" ["locale"]=> string(5) "en_US" ["groups"]=> array(2) { ["size"]=> int(1) ["items"]=> array(0) { } } ["applicationRoles"]=> array(2) { ["size"]=> int(1) ["items"]=> array(0) { } } ["expand"]=> string(23) "groups,applicationRoles" }
- I can't figure out how to generate a key for a new account, so there's no way to test that migration code works without actually installing old JIRA, saving the key, upgrading it, then testing the code;
- modern JIRA still returns only a name / username mapping from the auth/session endpoint:
array(2) { ["self"]=> string(76) "https://team-1582140698571.atlassian.net/rest/api/latest/user?username=admin" ["name"]=> string(5) "admin" }
In my test case, the name from auth/session is accepted as a key to rest/api/2/user, but I believe this is coincidental and does not function in the general case.
Broadly, there doesn't seem to be any reasonable way for a pure client OAuth application to perform on-login migration of old credentials to new credentials.
The easiest way to deal with this ("not my problem") is:
- change the code to use accountId if available and key otherwise;
- issue guidance for relinking accounts.
Beyond that, any migration seems like it must be explicit.