Is it possible to authenticate as a specific user in a script if 2FA is enabled for the user?

Tom Owens November 1, 2019

I'd like to automate portions of a branching, tagging, and merging strategy. I'd like to create branches, get diffs between two branches, check for open Pull Requests, apply tags, push those branches to Bitbucket, and open Pull Requests. However, many of these actions require authenticating and authorizing a user, and I'd like them to be authorized against a particular user so when the changes are pushed to Bitbucket, you can see the person who ran the scripts that took the actions (for traceability).

I see ways to authenticate a user with their username and password, but these methods are documented as not working with 2FA turned on. Other methods are about authenticating the application and not a user of the system, which I'm not sure is acceptable in the context.

1 answer

0 votes
Daniil Penkin
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 1, 2019

Hello @Tom Owens,

Thanks for reaching out.

You're right, regular credentials won't work when 2FA is enabled. In this case you have two options to authenticate API calls:

  • app password – it works together with your username and can be scoped to only some functionality of Bitbucket
  • OAuth 2.0 (look for 3-LO flow) – this is more complicated, but many tools already support this auth method. This is a better option from security perspective as the token you're authenticating requests with is short-lived.

Hope this helps. Let me know if you have any questions.

Cheers,
Daniil

Tom Owens November 4, 2019

I can take a deeper look at the 3-LO flow, but this is for a script that doesn't run in a browser, so it may take a bit of extra work to get that working. I think the first step is to see what functionality app password provides - that may be sufficient.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events