pass scopes to strategy

Signed-off-by: Spencer Post <spencer.post@guildeducation.com>

.changeset/curly-seals-pull.md

@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-backend-module-atlassian-provider': patch
+---
+
+Read scopes from config and pass to AtlassianProvider as they are required

plugins/auth-backend-module-atlassian-provider/config.d.ts

@@ -27,6 +27,7 @@ export interface Config {
           clientSecret: string;
           audience?: string;
           callbackUrl?: string;
+          scope?: string;
         };
       };
     };

plugins/auth-backend-module-atlassian-provider/src/authenticator.ts

@@ -29,6 +29,9 @@ export const atlassianAuthenticator = createOAuthAuthenticator({
   initialize({ callbackUrl, config }) {
     const clientId = config.getString('clientId');
     const clientSecret = config.getString('clientSecret');
+    const scope =
+      config.getOptionalString('scope') ||
+      'offline_access read:jira-work read:jira-user';
     const baseUrl = 'https://auth.atlassian.com';
 
     return PassportOAuthAuthenticatorHelper.from(
@@ -41,6 +44,7 @@ export const atlassianAuthenticator = createOAuthAuthenticator({
           authorizationURL: `${baseUrl}/authorize`,
           tokenURL: `${baseUrl}/oauth/token`,
           profileURL: `${baseUrl}/api/v4/user`,
+          scope,
         },
         (
           accessToken: string,

plugins/auth-backend-module-atlassian-provider/src/module.test.ts

@@ -67,6 +67,63 @@ describe('authModuleAtlassianProvider', () => {
       client_id: 'my-client-id',
       redirect_uri: `http://localhost:${server.port()}/api/auth/atlassian/handler/frame`,
       state: expect.any(String),
+      scope: 'offline_access read:jira-work read:jira-user',
+    });
+
+    expect(decodeOAuthState(startUrl.searchParams.get('state')!)).toEqual({
+      env: 'development',
+      nonce: decodeURIComponent(nonceCookie.value),
+    });
+  });
+  it('should start with and use custom scopes', async () => {
+    const { server } = await startTestBackend({
+      features: [
+        import('@backstage/plugin-auth-backend'),
+        authModuleAtlassianProvider,
+        mockServices.rootConfig.factory({
+          data: {
+            app: {
+              baseUrl: 'http://localhost:3000',
+            },
+            auth: {
+              providers: {
+                atlassian: {
+                  development: {
+                    clientId: 'my-client-id',
+                    clientSecret: 'my-client-secret',
+                    scope: 'offline_access read:filter:jira read:jira-work',
+                  },
+                },
+              },
+            },
+          },
+        }),
+      ],
+    });
+
+    const agent = request.agent(server);
+
+    const res = await agent.get('/api/auth/atlassian/start?env=development');
+
+    expect(res.status).toEqual(302);
+
+    const nonceCookie = agent.jar.getCookie('atlassian-nonce', {
+      domain: 'localhost',
+      path: '/api/auth/atlassian/handler',
+      script: false,
+      secure: false,
+    });
+    expect(nonceCookie).toBeDefined();
+
+    const startUrl = new URL(res.get('location'));
+    expect(startUrl.origin).toBe('https://auth.atlassian.com');
+    expect(startUrl.pathname).toBe('/authorize');
+    expect(Object.fromEntries(startUrl.searchParams)).toEqual({
+      response_type: 'code',
+      client_id: 'my-client-id',
+      redirect_uri: `http://localhost:${server.port()}/api/auth/atlassian/handler/frame`,
+      state: expect.any(String),
+      scope: 'offline_access read:filter:jira read:jira-work',
     });
 
     expect(decodeOAuthState(startUrl.searchParams.get('state')!)).toEqual({