Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Can we restrict what repositories an OAuth Consumer has access to?

Ryan Taylor June 30, 2023

I want to use an OAuth Consumer to connect our Jenkins server to Bitbucket per the instructions here https://github.com/jenkinsci/bitbucket-branch-source-plugin/blob/master/docs/USER_GUIDE.adoc

However, I would like to restrict what repos an OAuth Consumer can access, either per repo, or per project. Several questions...

  1. Is this doable?
  2. Is an OAuth consumer creatable by only admins in the workspace?
  3. What determines what repos an OAuth consumer can see?

 

1 answer

1 accepted

0 votes
Answer accepted
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 3, 2023

Hi Ryan and welcome to the community!

The access token obtained from an OAuth consumer can access all repos of the workspace the consumer belongs to.

Only admins of a workspace can create an OAuth consumer.

If you want to restrict access, instead of OAuth you could use the credentials (username and app password) of a Bitbucket account that has access only to the repositories that you want the plugin to access. This could be a new Bitbucket account that you set up only for CI purposes or an existing account.

Please feel free to reach out if you have any other questions.

Kind regards,
Theodora

Ryan Taylor July 13, 2023

@Theodora BoudaleWe would prefer to not use an existing user account. Our users tend to have more permissions than our restricted CI accounts and there's the question of what happens when a user leaves the org. Do all the builds break when their account is deactivated?

However, I suspect the the CI only account would contribute to our monthly bill. Can you confirm or deny this?

The OAuth consumer seemed like a good solution, until we saw (and you confirmed) that it has access to all repos in the workspace. We really do not want every Jenkins instance in our org to see all the repos in our workspace.

Is there a feature request for limiting what projects and/or repos an OAuth consumer can access. It seems pretty restrictive for an OAuth consumer to be able to access all projects and repos in the workspace.

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 17, 2023

Hi Ryan,

A CI-only account will indeed count as a billable user if it has access to the workspace's private repos.

There is no existing feature request for limiting the repos an OAuth consumer can access. I went ahead and created one in our public issue tracker here:

Please feel free to let me know if you have any other questions.

Kind regards,
Theodora

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events