Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket cloud api PKCE Authorization flow - Client credentials missing

Brandon G
Brandon G
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 29, 2023

I have been following: https://confluence.atlassian.com/bitbucketserver0720/bitbucket-oauth-2-0-provider-api-1116282017.html to login to my bitbucket repository, but am consistently getting told by bitbucket's api that I am missing client credentials (including client_secret, which PKCE should not need).

Here is my setup:

  1. Bitbucket workspace with dummy consumer for test (client key is used as client_id) and included in the body of all requests
  2. local server running listening for the callback url

Here is my understanding of the flow:

  1. Client application sends users to 
    https://bitbucket.org/site/oauth2/authorize with client_id, code_challenge, response_type, redirect_uri, etc.
  2. user accepts access request and is redirected to redirect_uri with a code parameter
  3. redirect uri requests an access token from
    https://bitbucket.org/site/oauth2/access_token, sending the code verifier, code, and client id

#1 and @#2 work - I get a code back, but site/oauth2/access_token expects a client id and secret - does PKCE not work for bb.org?

Answer
Watch
Like Jim Fisk likes this
719 views

1 answer

1 vote
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 30, 2023

Hello @Brandon G and welcome to Atlassian Community!

I'm afraid the documentation you linked is for Bitbucket Server and not Bitbucket Cloud.

The Bitbucket Cloud API does not currently offer the Proof Key for Code Exchange (PKCE) so this is the reason why you are receiving that error.

In order to exchange the authorization code for an access token you will need to call the below endpoint : 

curl -X POST -u "client_id:secret" https://bitbucket.org/site/oauth2/access_token -d grant_type=authorization_code -d code={code}

Where the client_id and secret are the values from the OAuth consumer you have created under your bitbucket workspace.

For more details on the available authentication methods for Bitbucket Cloud API, you can refer to the following documentation : 

Thank you, @Brandon G !

Patrik S

View More Comments
Deleted user May 30, 2023

Thanks and got it! I am building a client side application that has an embedded web server to handle callbacks but was hoping to use pkce so that I didn't have to use the implicit grant flow or store the client secret within my application. Not a huge deal

Like # people like this
Jim Fisk
Jim Fisk
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 11, 2024

Hi @Patrik S

Thanks for clarifying the distinction between Bitbucket Server and Bitbucket Cloud, I was also looking at the wrong documentation!

Are there any plans to add PKCE support for Bitbucket Cloud?

I see that Implicit Grant is supported "for browser-based add-ons that operate without server-side backends" which is great, but my understanding is that PKCE would be more secure for this purpose.

This article titled "Implicit Flow is Dead, Try PKCE Instead" says:

"For native and browser-based JavaScript apps, it is now widely considered a best practice to use the Authorization Code flow with the PKCE extension, instead of the Implicit flow."

Thank you!

Like
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 12, 2024

Hello @Jim Fisk ,

There's not currently plans on introducing the support for PKCE flow, but I went ahead and raised a feature request with our engineering team to include this functionality:

We encourage you to add your Vote there to express your interest, and also include a comment with your use-case so our product management team can better understand the context. By setting yourself as a watcher in that ticket, you'll also be notified by email of any future updates towards its implementation.

Thank you, @Jim Fisk  !

Patrik S

Like
Jim Fisk
Jim Fisk
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 13, 2024

Thank you for creating this feature request @Patrik S

Like Patrik S likes this
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events