Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

App Password change, does it impact OAuth2?

Chee Hwee Chai
Chee Hwee Chai February 8, 2022

Hi all,

I have been informed of this change.

https://bitbucket.org/blog/deprecating-atlassian-account-password-for-git-and-bitbucket-api-activity

 

Seperately, I have received an email with the following content:

Beginning March 1, 2022, you will no longer be able to use your Atlassian account password when using Basic authentication with the Bitbucket API or Git over HTTPS. For security reasons, we require all users to use Bitbucket app passwords.

 

I am trying to understand the scope of the change and its impact. It states that I cannot log in Atlassian account and password and requires all users to use Bitbucket app passwords. However, besides using app passwords, I also log in using OAuth2. https://developer.atlassian.com/cloud/bitbucket/oauth-2/

In the case of GCP Build Triggers, when I first set up the Bitbucket repository to connect to, I need to go through the "Authorization Code Grant" flow and acknowledge what access I am granting to Google Cloud Source Repository. If I check the Bitbucket API endpoints being called, they are URLs that are being used for "Authorization Code Grant" flow.

Based on these findings, am I right to say that there is no necessity to change existing triggers or mirrored repositories on GCP since they are using OAuth2 in the first place instead of Atlassian accounts and passwords?

Can I still use the JWT access tokens to access Bitbucket and clone/pull Git repositories after the App Password changes? Or is App Password the only way to login?

Answer
Watch
Like David Dansby likes this
707 views

1 answer

1 vote
David Dansby
David Dansby
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 14, 2022

Hey Chee Hwee Chai, 

My name is David and I'm a backend engineer on the Bitbucket Cloud team.

Just to be clear, you are currently using the JWT access token in place of the OAuth access token, correct? If so, then you will not be required to make any changes. 

To be more specific, Bitbucket Cloud supports three of OAuth 2.0's (RFC-6749) grant flows, plus a custom Bitbucket flow for exchanging JWT tokens for access tokens. Note that Resource Owner Password Credentials Grant (4.3) is no longer supported. If my understanding is correct in that you are using JWT access token for the authentication method, then you are correct, you will not require any changes. 

You can find more info regarding our allowed authentication methods in our REST API docs here.

Happy coding, 

David Dansby

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events