Hi,
One of our customers Censia has integrated with us and we're trying to fetch all users in their Jira.
We use this endpoint https://developer.atlassian.com/cloud/jira/platform/rest/v3/#api-rest-api-3-users-search-get to fetch the users, but it is returning empty list `[]`.
I have checked that the person trying to connect admin@censia.com is an admin in jira.
Can you help me find out why that might be happening?
Here's the curl request:
```
curl --location --request GET 'censia.atlassian.net/rest/api/3/user/search?username=&maxResults=1000' \
--header 'Authorization: <basic auth creds>'
```
Hello @Nitin Patel ,
If I understand correctly you are trying to get all the users from your instance using REST API but this is returning empty array.
If this is correct, since the GET /rest/api/3/user/search method can also be called by anonymous users, there are chances that either the authentication failed:
This operation can be accessed anonymously.
Or that the account used to authenticate the call does not have browse users permission:
Permissions required: Browse users and groups global permission. Anonymous calls or calls by users without the required permission return empty search results.
However, I can also see a number of other things that does not seem correct in the provided Curl example:
Therefore, can you kindly run the following curl command against your instance and paste the results in your reply removing the sensitive data like shown below?
curl -u <EMAIL-ADDRESS>:<API-TOKEN> -D- -X GET "https://<NAME>.atlassian.net/rest/api/3/user/search?query=&maxResults=1000"
HTTP/2 200
server: AtlassianProxy/1.15.8.1
[...]
date: Fri, 10 Apr 2020 12:40:25 GMT
atl-traceid: 4e5300a61b1fd8ab
x-arequestid: 75d19ba1-eef9-490a-bfbc-6271f33c2b4f
[...]
[{"self":"https://<NAME>.atlassian.net/rest/api/3/user?accountId=5bacXXXXXXXXXXXXXXXXXXbd","accountId":"5bacXXXXXXXXXXXXXXXXXXbd","accountType":"atlassian","emailAddress":"aXXXXXXXXX@atlassian.com","avatarUrls":{"48x48":"https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/5bacXXXXXXXXXXXXXXXXXXbd/dac690af-6307-4655-893c-691c5900a5fb/128?size=48&s=48","24x24":"https:.....
[...]
Finally, please notice that the endpoint you are using might not return all the results as mentioned in the documentation:
This operation takes the users in the range defined by
startAt
andmaxResults
, up to the thousandth user, and then returns only the users from that range that match the search string and property. This means the operation usually returns fewer users than specified inmaxResults
. To get all the users who match the search string and property, use Get all users and filter the records in your code.
Cheers,
Dario
> Permissions required: Browse users and groups global permission. Anonymous calls or calls by users without the required permission return empty search results.
How can I check via API that the admin who connected has this permission?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
By the way, I tried your other suggestions and it still didn't work.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Nitin Patel ,
Please notice that in my reply I asked to run the request using curl and to paste the output (anonymized) in here:
Therefore, can you kindly run the following curl command against your instance and paste the results in your reply removing the sensitive data like shown below?
curl -u <EMAIL-ADDRESS>:<API-TOKEN> -D- -X GET "https://<NAME>.atlassian.net/rest/api/3/user/search?query=&maxResults=1000"
HTTP/2 200
server: AtlassianProxy/1.15.8.1
[...]
date: Fri, 10 Apr 2020 12:40:25 GMT
atl-traceid: 4e5300a61b1fd8ab
x-arequestid: 75d19ba1-eef9-490a-bfbc-6271f33c2b4f
[...]
[{"self":"https://<NAME>.atlassian.net/rest/api/3/user?accountId=5bacXXXXXXXXXXXXXXXXXXbd","accountId":"5bacXXXXXXXXXXXXXXXXXXbd","accountType":"atlassian","emailAddress":"aXXXXXXXXX@atlassian.com","avatarUrls":{"48x48":"https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/5bacXXXXXXXXXXXXXXXXXXbd/dac690af-6307-4655-893c-691c5900a5fb/128?size=48&s=48","24x24":"https:.....
[...]
Also, once done, please let me know date, time and timezone you have run the request so I can go check the logs.
Cheers,
Dario
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
oh, sorry I didn't understand you earlier.
Time: 15th April, 1:51 AM IST (Indian Standard Time)
curl
curl --location --request GET 'https://censia.atlassian.net/rest/api/3/user/search?query=&maxResults=1000' \
--header 'Authorization: Basic <creds redacted>' \
--header 'User-Agent: PostmanRuntime/7.22.0' \
--header 'Accept: */*' \
--header 'Cache-Control: no-cache' \
--header 'Postman-Token: f7c5a5ec-68fe-47c2-ae53-c0fc26c0a97f' \
--header 'Host: censia.atlassian.net' \
--header 'Accept-Encoding: gzip, deflate, br' \
--header 'Cookie: atlassian.xsrf.token=BVO6-FIVX-S7K8-OJT0_f2e6e558f2657b1983340d2de40e6c40bc611a33_lin' \
--header 'Connection: keep-alive'
result is empty list `[]`
by the way, I'm using basic authentication with email address and API Token and not username/password.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Nitin Patel ,
I can see you have access to 3 different Jira sites and I am not sure which one you are using for the tests.
Looking at the logs of Rxxxxx.atlassian.net I can find some /rest/api/3/user/search requests at the given time (15th April, 1:51 AM IST -> 14th April 22:19 CEST/CET):
Time | Method | Uri | Status | Size| Time | User Agent
2020-04-14 22:13:51.790 | GET | /rest/api/3/user/search?username=&startAt=0&maxResults=1000 | 400 | 2739 | 0.054 | python-requests/2.20.0 | |
2020-04-14 22:19:38.054 | GET | /rest/api/3/user/search?username=&startAt=0&maxResults=1000 | 400 | 2739 | 0.057 | python-requests/2.20.0 |
However, the above requests do not look like the one you pasted above. Indeed:
It looks like above requests are coming from some python code and the request is somehow wrong. Also, in Jira logs last thing logged is a call to get user permissions. So it could also be related to the lack of "browse users permission".
Therefore, in order to proceed:
curl -u <EMAIL-ADDRESS>:<API-TOKEN> -D- -X GET "https://<NAME>.atlassian.net/rest/api/3/user/search?query=&maxResults=1000"
Cheers,
Dario
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm not using any of those. It is https://censia.atlassian.net
and it is my customer's account. They've shared their API Token with us, I'm just making a call with the API token they gave me. The email is admin@censia.com
I don't have access to their jira account, just the API token. So, regarding your point about permissions, is there a way I can check permissions using the API?
finally, I ran the exact command you gave, it's returning empty list []
Here's screenshot:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Nitin Patel ,
To check if the user you use to authenticate the REST API calls has browse user permission, you can call:
{
"permissions": {
"USER_PICKER": {
"id": "27",
"key": "USER_PICKER",
"name": "Browse users and groups",
"type": "GLOBAL",
"description": "View and select users or groups from the user picker, and share issues. Users with this permission can see the names of all users and groups on your site.",
"havePermission": true
}
}
}
To get the list of all the available permissions:
For more details see:
Let me know if this helps, otherwise I will proceed checking the logs for the given instance.
Cheers,
Dario
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Also @Nitin Patel ,
Please also notice that what you get is exactly the result I get when I am not authenticated:
$ curl -D- "https://censia.atlassian.net/rest/api/3/user/search?query=&maxResults=1000"
HTTP/2 200
server: AtlassianProxy/1.15.8.1
vary: Accept-Encoding
cache-control: no-cache, no-store, no-transform
content-type: application/json;charset=UTF-8
strict-transport-security: max-age=315360000; includeSubDomains; preload
date: Thu, 16 Apr 2020 10:46:22 GMT
atl-traceid: 7c2c9cc106c965f9
x-arequestid: d3e19c4c-2d0f-4a08-a6fb-a69316d5b0b2
x-xss-protection: 1; mode=block
timing-allow-origin: *
x-content-type-options: nosniff
set-cookie: atlassian.xsrf.token=BVO6-FIVX-S7K8-OJT0_208061576a953ce06a61c06df797858aa3b5594a_lout; Path=/; Secure
expect-ct: report-uri="https://web-security-reports.services.atlassian.com/expect-ct-report/global-proxy", enforce, max-age=86400
[]
So, by calling the /rest/api/3/mypermissions endpoint you should be able to determine whether the authentication credentials are not working/correct or if your user does not have browse users permission.
Cheers,
Dario
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey,
I think I found the root cause is that the admin doesn't have USER_PICKER ie "Browse users and groups".
Thanks for your help!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You are very welcome @Nitin Patel , I am happy to know I was able to help! :)
I am accepting the answer so that this thread will be marked as resolved.
Have a nice day,
Dario
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am seeing this exact same issue, when checking the USER_PICKER permission, it is granted, however the user search API still returns no results.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey, I have the same issue, an empty group list when targetting https://<base URL>/rest/api/2/myself
Here is the returned result:
{"self":"https://<base URL>/rest/api/2/user?username=<my username>", […], "locale":"en_US","groups":{"size":14,"items":[]},"applicationRoles":{"size":2,"items":[]},"expand":"groups,applicationRoles"}
No where is the list of groups/application roles.
I have the browse users and groups permission.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.