Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

OAuth should ignore port for loopback redirect URIs


BitBucket's OAuth implementation

is missing the behaviour in

Loopback redirect URIs use the "http" scheme and are constructed with the loopback IP literal and whatever port the client is listening on. That is, "{port}/{path}" for IPv4, and "http://[::1]:{port}/{path}" for IPv6. ... The authorization server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the operating system at the time of the request.

Please fix this bug.

1 answer

1 accepted

1 vote
Answer accepted
Dan Fraser
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Oct 25, 2022 • edited

Hi @M H

Thanks for your question, and welcome to the Atlassian Community!

I can confirm that Bitbucket's OAuth2.0 implementation does allow the port to be specified at request time (only for localhost).

When setting up your OAuth Consumer, you'll need to specify your Callback URL as http://localhost. Note that you can have a path specified here if you wish (but this is not strictly necessary). Don't specify a port here either. Bitbucket's backend will handle the port when provided.

When you initiate the OAuth flow, by making a call to make sure that you include the fully derived redirect_uri query param in your request.


Please note, that the query params in the above example should all be url encoded.

Hope this helps,

@Dan Fraser 

Thanks for your reply. So localhost works but not This is still a bug because the OAuth RFC says

While redirect URIs using localhost (i.e., "http://localhost:{port}/{path}") function similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather than localhost avoids inadvertently listening on network interfaces other than the loopback interface. It is also less susceptible to client-side firewalls and misconfigured host name resolution on the user's device.

@Dan Fraser please could you open a bug?

Dan Fraser
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Oct 26, 2022 • edited

@M H , instead of raising a bug, I've done you one better.

I've patched the code to allow the port to be specified at runtime on and the functionality should be available now in production. Note that the existing behaviour still works for localhost, as we have to continue supporting this. We have many consumers setup with localhost as their redirect_uri.

Can you test the functionality again, and confirm that your issue has been resolved? Thanks again for reaching out and bringing this to our attention!

Thanks @Dan Fraser that works now.

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events