How can I troubleshoot bitbucket OAuth authentication permission issues via jenkins?

Dave Wolff December 16, 2021

Our team has had the Jenkins Bitbucket OAuth plugin working great for years.  This morning, with no changes to the Jenkins server as far as I can tell, I am unable to access Jenkins.  I am able to authenticate to jenkins, but it tells me that my account "is missing the Overall/Read permission".

Other members of my team do not receive this error message even though we have the same permissions set up in Bitbucket.  The authorization configuration on jenkins has not changed and it appears to be correct.  My suspicion is that something has gone haywire with Bitbucket's OAuth for my user account, but I have no way to discern if this is true.

Is there a way I can begin troubleshooting this issue to gain some insight as to if the failure is with Bitbucket OAuth? In particular:

  1. If I can see what groups are being reported assigned to my user account, that would be a fabulous start. 
  2. If there is some documentation to determine how Bitbucket assigns groups to OAuth users, that would also be handy.  In particular, how does a bitbucket user get assigned the "<team>::admin" "<team>::contributor" and "<team>::member" groups/roles via the Jenkins plugin?  I don't know if this is related specifically to the jenkins Bitbucket OAuth plugin, or if it's something innate to Bitbucket and how it reports groups/permissions.

Thanks in advance,
Dave Wolff

2 answers

1 accepted

0 votes
Answer accepted
Dave Wolff December 16, 2021

After much debugging, it appears that the Bitbucket API may have changed and the URL that the Jenkins Bitbucket OAuth plugin is using to get access to team memberships has been deprecated and has moved very recently?

The following URL is used by the plugin to access team roles: 

https://api.bitbucket.org/2.0/teams?role=<admin|contributor|member>

When I invoke it using API credentials (not via OAuth), I receive an error pointing me to this page https://developer.atlassian.com/cloud/bitbucket/rest/api-group-teams/#api-teams-get which indicates that the endpoint is deprecated and has been removed.

 

This doesn't explain why my colleagues can still access the jenkins instance but I cannot.  So it may be a misdiagnoses, but our varying success could also be explained by some level of caching, or maybe session expiration/refresh has occurred.

Dave Wolff December 16, 2021

Adding further to the mystery.  The other team members get a proper response from the https://api.bitbucket.org/2.0/teams?role=admin endpoint.  So somehow it's just my account that is receiving the error/removed message.

Dave Wolff December 16, 2021

So the correct analysis as far as I can tell is that I can authenticate to Jenkins via Bitbucket OAuth, but I receive zero permissions since my user account cannot get results from the following endpoint:

https://api.bitbucket.org/2.0/teams?role=<admin|contributor|member>

My team members all get viable results from the endpoint so it's truly perplexing why I am told that the endpoint has been moved.

Looks like we may be switching to Jenkins local user authentication again.  If any bitbucket team member wants to chime in and explain why this might be happening, I'd appreciate it!

David Sweeney December 17, 2021

Im experiencing the same issue at our company.  Also started yesterday.  Im able to authenticate via oAuth but group membership is not being passed back from the api.

Like Dave Wolff likes this
Dave Wolff December 17, 2021

It's highly unfortunate. We switched over to using local Jenkins user accounts for the time being.  If the docs here are any indication of where the Bitbucket API is going, then I doubt that the situation will improve.  It seems that the API call used to fetch group memberships was slated to be removed sometime last year.

It seems that the Bitbucket OAuth plugin may need to be updated

We don't have many users, so switching to local Jenkins user accounts didn't take much time, thankfully.

Like David Sweeney likes this
Dave Wolff December 17, 2021

I received a response from the Bitbucket team and it's as suspected. They're officially axing the endpoint.

They gave an explanation why it is working for some people:
"The reason some of your colleagues are still being able to get results by calling Teams API endpoint, is because we are gradually rolling out the removal of this API. Starting next week, we are completely removing this endpoint, please make sure your entire team switches over to workspaces endpoint as soon as possible."

It looks like the Bitbucket OAuth plugin already has a fix in the works, so we can hopefully resume use of the plugin soon:
https://github.com/jenkinsci/bitbucket-oauth-plugin/pull/8/commits/4c1fa557d0e30603f9528b9d3c2ea2761d77710f

Nathan Holmberg December 23, 2021

Thank you for your analysis and reports! This has saved a lot of time debugging

Like Dave Wolff likes this
0 votes
Dave Wolff December 17, 2021

I've opened a support ticket with Bitbucket to hopefully get a straight answer on the flaky API.  I don't expect to hear anything positive though, so I've moved away from using the Bitbucket OAuth Plugin and we're using local Jenkins user accounts for now.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events