fix(jira): add classic JSM scopes to close granular scope-set gap

Author: waleedlatif1

apps/docs/content/docs/en/integrations/atlassian-service-account.mdx

@@ -64,13 +64,20 @@ The service account inherits permissions from the project/space roles you grant
   <Step>
     Select the scopes the token needs. The minimum set Sim's Jira and Confluence blocks expect is:
 
-    **Jira (granular):**
+    **Jira (classic):**
     ```
     read:jira-user
     read:jira-work
     write:jira-work
     ```
 
+    **Jira Service Management (classic):**
+    ```
+    read:servicedesk-request
+    write:servicedesk-request
+    manage:servicedesk-customer
+    ```
+
     **Confluence (granular):**
     ```
     read:confluence-content.all
@@ -82,6 +89,10 @@ The service account inherits permissions from the project/space roles you grant
 
     Add more scopes only if you need the corresponding operations (delete, manage webhooks, etc.). The full list of scopes Sim's blocks may use is documented in [Atlassian's developer reference](https://developer.atlassian.com/cloud/jira/platform/scopes-for-oauth-2-3LO-and-forge-apps/).
 
+    <Callout type="warn">
+      Prefer the classic scopes above over granular equivalents. Atlassian enforces an endpoint's granular scope list as all-or-nothing, so a token built from a partial granular set fails with `Unauthorized; scope does not match` even though each individual scope was granted. The classic scopes each cover their product's endpoints on their own.
+    </Callout>
+
     <div className="flex justify-center">
       <Image
         src="/static/credentials/atlassian/admin-scope-picker.png"

apps/sim/connectors/jsm/jsm.ts

@@ -334,6 +334,12 @@ export const jsmConnector: ConnectorConfig = {
     mode: 'oauth',
     provider: 'jira',
     requiredScopes: [
+      /**
+       * Atlassian enforces granular scope sets all-or-nothing; the classic scope
+       * alone authorizes the request read endpoints, so require it to flag stale
+       * credentials that predate it in the provider scope list.
+       */
+      'read:servicedesk-request',
       'read:servicedesk:jira-service-management',
       'read:request:jira-service-management',
       'read:request.comment:jira-service-management',

apps/sim/lib/oauth/oauth.ts

@@ -515,12 +515,18 @@ export const OAUTH_PROVIDERS: Record<string, OAuthProviderConfig> = {
           'read:me',
           'offline_access',
           'read:issue.vote:jira',
+          'read:user:jira',
           'delete:issue:jira',
           'delete:comment:jira',
           'delete:attachment:jira',
           'delete:issue-worklog:jira',
           'delete:issue-link:jira',
-          // Jira Service Management scopes
+          // Jira Service Management scopes. The classic scopes are required: Atlassian
+          // enforces an endpoint's granular scope set as all-of, and several JSM request
+          // endpoints include scopes outside this list in their granular sets.
+          'read:servicedesk-request',
+          'write:servicedesk-request',
+          'manage:servicedesk-customer',
           'read:servicedesk:jira-service-management',
           'read:requesttype:jira-service-management',
           'read:request:jira-service-management',

apps/sim/lib/oauth/utils.ts

@@ -168,6 +168,9 @@ export const SCOPE_DESCRIPTIONS: Record<string, string> = {
   'delete:issue-link:jira': 'Delete links between Jira issues',
 
   // Jira Service Management scopes
+  'read:servicedesk-request': 'View service desk requests',
+  'write:servicedesk-request': 'Create and update service desk requests',
+  'manage:servicedesk-customer': 'Manage service desk customers and organizations',
   'read:servicedesk:jira-service-management': 'View service desks and their settings',
   'read:requesttype:jira-service-management': 'View request types available in service desks',
   'read:request:jira-service-management': 'View customer requests in service desks',