Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Bitbucket cloud api PKCE Authorization flow - Client credentials missing

Brandon G
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 29, 2023

I have been following: https://confluence.atlassian.com/bitbucketserver0720/bitbucket-oauth-2-0-provider-api-1116282017.html to login to my bitbucket repository, but am consistently getting told by bitbucket's api that I am missing client credentials (including client_secret, which PKCE should not need).

Here is my setup:

  1. Bitbucket workspace with dummy consumer for test (client key is used as client_id) and included in the body of all requests
  2. local server running listening for the callback url

Here is my understanding of the flow:

  1. Client application sends users to 
    https://bitbucket.org/site/oauth2/authorize with client_id, code_challenge, response_type, redirect_uri, etc.
  2. user accepts access request and is redirected to redirect_uri with a code parameter
  3. redirect uri requests an access token from
    https://bitbucket.org/site/oauth2/access_token, sending the code verifier, code, and client id

#1 and @#2 work - I get a code back, but site/oauth2/access_token expects a client id and secret - does PKCE not work for bb.org?

1 answer

1 vote
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 30, 2023

Hello @Brandon G and welcome to Atlassian Community!

I'm afraid the documentation you linked is for Bitbucket Server and not Bitbucket Cloud.

The Bitbucket Cloud API does not currently offer the Proof Key for Code Exchange (PKCE) so this is the reason why you are receiving that error.

In order to exchange the authorization code for an access token you will need to call the below endpoint : 

curl -X POST -u "client_id:secret" https://bitbucket.org/site/oauth2/access_token -d grant_type=authorization_code -d code={code}

Where the client_id and secret are the values from the OAuth consumer you have created under your bitbucket workspace.

For more details on the available authentication methods for Bitbucket Cloud API, you can refer to the following documentation : 

Thank you, @Brandon G !

Patrik S

bguest
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 30, 2023

Thanks and got it! I am building a client side application that has an embedded web server to handle callbacks but was hoping to use pkce so that I didn't have to use the implicit grant flow or store the client secret within my application. Not a huge deal

Like Patrik S likes this

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events