Our team has had the Jenkins Bitbucket OAuth plugin working great for years. This morning, with no changes to the Jenkins server as far as I can tell, I am unable to access Jenkins. I am able to authenticate to jenkins, but it tells me that my account "is missing the Overall/Read permission".
Other members of my team do not receive this error message even though we have the same permissions set up in Bitbucket. The authorization configuration on jenkins has not changed and it appears to be correct. My suspicion is that something has gone haywire with Bitbucket's OAuth for my user account, but I have no way to discern if this is true.
Is there a way I can begin troubleshooting this issue to gain some insight as to if the failure is with Bitbucket OAuth? In particular:
Thanks in advance,
After much debugging, it appears that the Bitbucket API may have changed and the URL that the Jenkins Bitbucket OAuth plugin is using to get access to team memberships has been deprecated and has moved very recently?
The following URL is used by the plugin to access team roles:
When I invoke it using API credentials (not via OAuth), I receive an error pointing me to this page https://developer.atlassian.com/cloud/bitbucket/rest/api-group-teams/#api-teams-get which indicates that the endpoint is deprecated and has been removed.
This doesn't explain why my colleagues can still access the jenkins instance but I cannot. So it may be a misdiagnoses, but our varying success could also be explained by some level of caching, or maybe session expiration/refresh has occurred.
So the correct analysis as far as I can tell is that I can authenticate to Jenkins via Bitbucket OAuth, but I receive zero permissions since my user account cannot get results from the following endpoint:
My team members all get viable results from the endpoint so it's truly perplexing why I am told that the endpoint has been moved.
Looks like we may be switching to Jenkins local user authentication again. If any bitbucket team member wants to chime in and explain why this might be happening, I'd appreciate it!
It's highly unfortunate. We switched over to using local Jenkins user accounts for the time being. If the docs here are any indication of where the Bitbucket API is going, then I doubt that the situation will improve. It seems that the API call used to fetch group memberships was slated to be removed sometime last year.
It seems that the Bitbucket OAuth plugin may need to be updated.
We don't have many users, so switching to local Jenkins user accounts didn't take much time, thankfully.
I received a response from the Bitbucket team and it's as suspected. They're officially axing the endpoint.
They gave an explanation why it is working for some people:
"The reason some of your colleagues are still being able to get results by calling Teams API endpoint, is because we are gradually rolling out the removal of this API. Starting next week, we are completely removing this endpoint, please make sure your entire team switches over to workspaces endpoint as soon as possible."
It looks like the Bitbucket OAuth plugin already has a fix in the works, so we can hopefully resume use of the plugin soon: