Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

App Password change, does it impact OAuth2?

Hi all,

I have been informed of this change.


Seperately, I have received an email with the following content:

Beginning March 1, 2022, you will no longer be able to use your Atlassian account password when using Basic authentication with the Bitbucket API or Git over HTTPS. For security reasons, we require all users to use Bitbucket app passwords.


I am trying to understand the scope of the change and its impact. It states that I cannot log in Atlassian account and password and requires all users to use Bitbucket app passwords. However, besides using app passwords, I also log in using OAuth2.

In the case of GCP Build Triggers, when I first set up the Bitbucket repository to connect to, I need to go through the "Authorization Code Grant" flow and acknowledge what access I am granting to Google Cloud Source Repository. If I check the Bitbucket API endpoints being called, they are URLs that are being used for "Authorization Code Grant" flow.

Based on these findings, am I right to say that there is no necessity to change existing triggers or mirrored repositories on GCP since they are using OAuth2 in the first place instead of Atlassian accounts and passwords?

Can I still use the JWT access tokens to access Bitbucket and clone/pull Git repositories after the App Password changes? Or is App Password the only way to login?

1 answer

1 vote
David Dansby Atlassian Team Feb 14, 2022

Hey Chee Hwee Chai, 

My name is David and I'm a backend engineer on the Bitbucket Cloud team.

Just to be clear, you are currently using the JWT access token in place of the OAuth access token, correct? If so, then you will not be required to make any changes. 

To be more specific, Bitbucket Cloud supports three of OAuth 2.0's (RFC-6749) grant flows, plus a custom Bitbucket flow for exchanging JWT tokens for access tokens. Note that Resource Owner Password Credentials Grant (4.3) is no longer supported. If my understanding is correct in that you are using JWT access token for the authentication method, then you are correct, you will not require any changes. 

You can find more info regarding our allowed authentication methods in our REST API docs here.

Happy coding, 

David Dansby

Suggest an answer

Log in or Sign up to answer

Atlassian Community Events