fix(oauth): trim Atlassian OAuth scopes to fix CloudFront 414

[waleedlatif1]

Summary

• trimmed Jira/JSM/Confluence OAuth scopes to reduce auth URL length and fix CloudFront 414 errors on SAML SSO bounce
• removed ~29 unused scopes (webhooks, content props, blogposts, organization mgmt, etc.) verified against tool usage
• added read:confluence-user (v1 user endpoint requires it) — needs to also be added in the Atlassian Developer Console

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 1, 2026 10:55pm

[cursor]

PR Summary

Medium Risk
Changes requested OAuth scopes for Confluence/Jira (including JSM), which can affect granted permissions and potentially break workflows that relied on removed scopes. Scope adjustments are localized but touch authentication/authorization configuration.

Overview
Reduces the OAuth scope sets requested for Atlassian confluence and jira providers to shorten the authorization URL (mitigating 414s during the SSO bounce) by removing a number of previously-requested Jira/JSM/Confluence scopes (e.g., webhooks, org/user management, blogposts, content/space properties).

Adds the Confluence read:confluence-user scope and a corresponding entry in SCOPE_DESCRIPTIONS to support the v1 Confluence user profile endpoint.

^{Reviewed by Cursor Bugbot for commit 414442d. Configure here.}

[greptile-apps]

Greptile Summary

This PR trims ~29 Atlassian OAuth scopes across Confluence, Jira, and JSM to shorten the authorization URL and fix CloudFront 414 errors, and adds the new read:confluence-user scope needed by the v1 user endpoint.

• P1 – Confluence connector broken for new connections: read:confluence-content.all was removed from the Confluence OAuth scope list but apps/sim/connectors/confluence/confluence.ts still declares it in requiredScopes. getMissingRequiredScopes does an exact set-membership check, so any token issued after this change will always be flagged as missing this scope, blocking knowledge-base sync for new Confluence connections.

Confidence Score: 3/5

Not safe to merge without fixing the stale requiredScopes reference in the Confluence connector.

A P1 defect exists: the Confluence knowledge-base connector declares read:confluence-content.all as a required scope, but that scope was removed from the OAuth provider config. New OAuth tokens will not include it, causing getMissingRequiredScopes to always report it missing and blocking the connector for all newly-authenticated users. The rest of the scope trimming (Jira, JSM, unused Confluence scopes) looks correct.

apps/sim/connectors/confluence/confluence.ts — line 122 requiredScopes must be reconciled with the updated OAuth scope list.

Important Files Changed

Filename	Overview
apps/sim/lib/oauth/oauth.ts	Trims ~29 Atlassian OAuth scopes for Confluence, Jira, and JSM to fix CloudFront 414; adds read:confluence-user. The Confluence scope list no longer includes read:confluence-content.all, which is still required by the Confluence connector.
apps/sim/lib/oauth/utils.ts	Adds a SCOPE_DESCRIPTIONS entry for the new read:confluence-user scope; does not remove entries for the 8 Confluence scopes that were dropped from oauth.ts.

Sequence Diagram

sequenceDiagram
    participant User
    participant App
    participant AtlassianOAuth as Atlassian OAuth
    participant Connector as Confluence Connector
    participant ScopeCheck as getMissingRequiredScopes

    User->>App: Connect Confluence account
    App->>AtlassianOAuth: Request scopes (oauth.ts list, now WITHOUT read:confluence-content.all)
    AtlassianOAuth-->>App: Token (scopes granted = trimmed list)
    User->>App: Trigger knowledge-base sync
    App->>Connector: Check auth
    Connector->>ScopeCheck: requiredScopes = ['read:confluence-content.all', ...]
    ScopeCheck-->>Connector: MISSING: ['read:confluence-content.all']
    Connector-->>App: Auth error (scope missing)
    App-->>User: Sync fails

Loading

Comments Outside Diff (2)

1. apps/sim/connectors/confluence/confluence.ts, line 122 (link)

   Stale requiredScopes breaks the Confluence connector

   read:confluence-content.all was removed from the Confluence OAuth provider's scope list in this PR, but the connector's requiredScopes still references it. getMissingRequiredScopes in lib/oauth/utils.ts does an exact set-membership check: any newly-issued token will not have this scope, so the function will always return it as missing, blocking knowledge-base sync for new connections. Either add read:confluence-content.all back to oauth.ts, or remove it from requiredScopes here (and verify the CQL search endpoint used by this connector doesn't require that v1 scope).

2. apps/sim/lib/oauth/utils.ts, line 66-69 (link)

   These scope descriptions (read:blogpost:confluence, write:blogpost:confluence, delete:blogpost:confluence, read:content.property:confluence, write:content.property:confluence, read:space.property:confluence, write:space.property:confluence, read:space.permission:confluence) correspond to scopes that were removed from the Confluence OAuth provider in this PR. Keeping stale entries in SCOPE_DESCRIPTIONS isn't harmful, but it leaves dead entries that may cause confusion if developers search for which scopes are active. Consider pruning them alongside the scope removals.

_{Reviews (1): Last reviewed commit: "fix(oauth): trim Atlassian OAuth scopes ..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 414442d. Configure here.}

[waleedlatif1]

Closing in favor of a fresh PR for clean review.