fix(jira): add classic JSM scopes to close granular scope-set gap (#5005)

* fix(jira): add classic JSM scopes to close granular scope-set gap

* fix(jira): note read:user:jira requirement for granular-only tokens in docs

Author: waleedlatif1

apps/docs/content/docs/en/integrations/atlassian-service-account.mdx

@@ -64,13 +64,20 @@ The service account inherits permissions from the project/space roles you grant
   <Step>
     Select the scopes the token needs. The minimum set Sim's Jira and Confluence blocks expect is:
 
-    **Jira (granular):**
+    **Jira (classic):**
     ```
     read:jira-user
     read:jira-work
     write:jira-work
     ```
 
+    **Jira Service Management (classic):**
+    ```
+    read:servicedesk-request
+    write:servicedesk-request
+    manage:servicedesk-customer
+    ```
+
     **Confluence (granular):**
     ```
     read:confluence-content.all
@@ -82,6 +89,10 @@ The service account inherits permissions from the project/space roles you grant
 
     Add more scopes only if you need the corresponding operations (delete, manage webhooks, etc.). The full list of scopes Sim's blocks may use is documented in [Atlassian's developer reference](https://developer.atlassian.com/cloud/jira/platform/scopes-for-oauth-2-3LO-and-forge-apps/).
 
+    <Callout type="warn">
+      Prefer the classic scopes above over granular equivalents. Atlassian enforces an endpoint's granular scope list as all-or-nothing, so a token built from a partial granular set fails with `Unauthorized; scope does not match` even though each individual scope was granted. The classic scopes each cover their product's endpoints on their own. If your organization only permits granular scopes, include every scope listed for each endpoint in Atlassian's reference — Jira Service Management request operations also require `read:user:jira`.
+    </Callout>
+
     <div className="flex justify-center">
       <Image
         src="/static/credentials/atlassian/admin-scope-picker.png"

apps/sim/connectors/jsm/jsm.ts

@@ -334,6 +334,12 @@ export const jsmConnector: ConnectorConfig = {
     mode: 'oauth',
     provider: 'jira',
     requiredScopes: [
+      /**
+       * Atlassian enforces granular scope sets all-or-nothing; the classic scope
+       * alone authorizes the request read endpoints, so require it to flag stale
+       * credentials that predate it in the provider scope list.
+       */
+      'read:servicedesk-request',
       'read:servicedesk:jira-service-management',
       'read:request:jira-service-management',
       'read:request.comment:jira-service-management',

apps/sim/lib/oauth/oauth.ts

@@ -515,12 +515,18 @@ export const OAUTH_PROVIDERS: Record<string, OAuthProviderConfig> = {
           'read:me',
           'offline_access',
           'read:issue.vote:jira',
+          'read:user:jira',
           'delete:issue:jira',
           'delete:comment:jira',
           'delete:attachment:jira',
           'delete:issue-worklog:jira',
           'delete:issue-link:jira',
-          // Jira Service Management scopes
+          // Jira Service Management scopes. The classic scopes are required: Atlassian
+          // enforces an endpoint's granular scope set as all-of, and several JSM request
+          // endpoints include scopes outside this list in their granular sets.
+          'read:servicedesk-request',
+          'write:servicedesk-request',
+          'manage:servicedesk-customer',
           'read:servicedesk:jira-service-management',
           'read:requesttype:jira-service-management',
           'read:request:jira-service-management',

apps/sim/lib/oauth/utils.ts

@@ -168,6 +168,9 @@ export const SCOPE_DESCRIPTIONS: Record<string, string> = {
   'delete:issue-link:jira': 'Delete links between Jira issues',
 
   // Jira Service Management scopes
+  'read:servicedesk-request': 'View service desk requests',
+  'write:servicedesk-request': 'Create and update service desk requests',
+  'manage:servicedesk-customer': 'Manage service desk customers and organizations',
   'read:servicedesk:jira-service-management': 'View service desks and their settings',
   'read:requesttype:jira-service-management': 'View request types available in service desks',
   'read:request:jira-service-management': 'View customer requests in service desks',