Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to add OAuth consumers to allowed writers in protected branch?

Marcin Nowak
Marcin Nowak August 18, 2022

Hello, I'm facing a problem with semantic versioning in Bitbucket. Right now I'm out of ideas. I use OAuth consumer to provide access to repository for plugin. On merge to develop a pipeline is triggered so the semantic versioning plugin can handle versioning. Also in our project we use protected branches so you can't commit directly to the develop. When I added a user from wich I created OAuth consumer to allowed writers in protected develop branch it's still not working. It's clear that with OAuth consumer it's not a user who is authenticate, it's OAuth consumer and you can't add this consumer to allowed writes in protected branch. I tried to use App passwords but it's not supported right now in pipelines, so it's not working. I also for testing purpose I disabled a protection on branch and see if maybe I broke something during setting up the plugin, but then it was working. In addition I created environment variables like: GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL to point for a user from which I created a consumer and still not working. I don't know how we can resolve this problem..Zrzut ekranu 2022-08-19 o 09.49.59.png

Answer
Watch
Like Be the first to like this
630 views

1 answer

0 votes
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 19, 2022

Hi @Marcin Nowak,

1. Can you please confirm if you are using Bitbucket Pipelines and if you are trying to push from Pipelines?

2. Are you trying to push new commits from the Pipeline to your repo?

I can see in your screenshot that the command executed is git push --tags, however pushing tags should be possible even with branch restrictions (pushing tags is not subject to branch restrictions, since it is not pushing new code).

Could you please confirm what operation is failing?

3. Have you created this consumer for a user's personal workspace? (A personal workspace is the workspace created by Bitbucket Cloud when a user signs up for an account) Or did you create it for the workspace that owns the repo where you are pushing?

4. You mentioned that you tried to use App passwords but it's not supported right now in pipelines. Could you please clarify what you mean that it's not supported, and share some details about your configuration?

If you are using Bitbucket Pipelines, and you want to push back to the same repo where Pipelines is running, you can change the remote URL of the repo with the following command in your bitbucket-pipelines.yml file

git remote set-url origin https://<your username>:${app_password}@bitbucket.org/${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}

where <your username> replace with the Bitbucket username of the user (who is added in branch permissions)
app_password replace with the name of a Pipelines variable you create that holds an app password for this user

The author and committer email are not relevant, as they are not used for authentication.

Kind regards,
Theodora

View More Comments
Marcin Nowak
Marcin Nowak August 29, 2022

Hi!

1. Yes I use Bitbucket Pipelines in whole process

2. The plugin it self commit and push changes (new version in package.json and changelog) + create new tag. It occurs an unauthorized error while pushing commit.

3. I created consumer in the project workspace with permission for Repositories with Read, Write and Admin (for debugging).

4. I tried to use app password but I got this error: remote: Bitbucket Cloud recently stopped supporting account passwords for Git authentication.

Zrzut ekranu 2022-08-29 o 12.33.32.png

Like
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 30, 2022

Hi Marcin,

Thank you for the info.

Regarding the OAuth consumer, I just realized that I didn't clarify in my previous response that it is not possible to add an OAuth consumer in the branch permissions. We have a feature request for the ability to do this: https://jira.atlassian.com/browse/BCLOUD-21768 I would recommend voting for it (by selecting the Vote for this issue link) if you'd be interested in that feature.

 

Regarding app passwords, I have tested pushing from Pipelines to my repo the way I described in my previous message, and it's something that works.

The error message you are seeing shows when the credentials are incorrect.
The remote URL you need to set is

https://<your username>:${app_password}@bitbucket.org/${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}

<your username> should be the Bitbucket username for the account you are using to push, exactly as it appears in https://bitbucket.org/account/settings/ of this account (and without the < and > characters). It should not be the label for the app password.

app_password in my example is the name of a secured Repository variable I created that holds an app password for the same user. You should leave this as ${app_password} in the remote url, so Pipelines can read the value of the variable.

Have you used a Repository variable for the app password?

Could you please let me know what remote URL shows in your Pipelines log, in the line 'fatal: Authentication failed for...'? Without revealing the actual values for privacy reasons, just use some dummy values but leave the format as is.

In case this is a deployment step, an additional thing to check is if you have a deployment variable with the same name as the variable you used for the app password (in this case, the deployment variable would overwrite the repository variable).

Kind regards,
Theodora

Like
Marcin Nowak
Marcin Nowak August 31, 2022

The command 

git remote set-url origin https://<your username>:${app_password}@bitbucket.org/${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}

didn't work out, but I finally resolved my problem by adding app password in the .releaserc file which is used by the Semantic Release plugin.

"repositoryUrl": "https://<your username>:APP_PASSWORD@bitbucket.org/${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}"

 Then in the pipeline I use sed command to change value APP_PASSWORD to true app password which is called BB_APP_PASSWORD in repository variables.

- sed -i "s/APP_PASSWORD/$BB_APP_PASSWORD/g" .releaserc
Like Theodora Boudale likes this
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 2, 2022

Thank you for the update Marcin, it's good to hear that you figured this out.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events