Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,642,102
Community Members
 
Community Events
196
Community Groups

OAuth should ignore port for loopback redirect URIs

Edited
M H
M H Oct 20, 2022

BitBucket's OAuth implementation https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/

is missing the behaviour in https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

Loopback redirect URIs use the "http" scheme and are constructed with the loopback IP literal and whatever port the client is listening on. That is, "http://127.0.0.1:{port}/{path}" for IPv4, and "http://[::1]:{port}/{path}" for IPv6. ... The authorization server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the operating system at the time of the request.

Please fix this bug.

Answer
Watch
Like Dan Fraser likes this
416 views

1 answer

1 accepted

1 vote
Answer accepted
Dan Fraser
Dan Fraser
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Oct 25, 2022 • edited

Hi @M H

Thanks for your question, and welcome to the Atlassian Community!

I can confirm that Bitbucket's OAuth2.0 implementation does allow the port to be specified at request time (only for localhost).

When setting up your OAuth Consumer, you'll need to specify your Callback URL as http://localhost. Note that you can have a path specified here if you wish (but this is not strictly necessary). Don't specify a port here either. Bitbucket's backend will handle the port when provided.

When you initiate the OAuth flow, by making a call to https://bitbucket.org/site/oauth2/authorize make sure that you include the fully derived redirect_uri query param in your request.

eg:

https://bitbucket.org/site/oauth2/authorize?client_id=CLIENT_ID&response_type=code&redirect_uri=http://localhost:12345

Please note, that the query params in the above example should all be url encoded.

Hope this helps,

@Dan Fraser 

View More Comments
M H
M H Oct 25, 2022

Thanks for your reply. So localhost works but not 127.0.0.1? This is still a bug because the OAuth RFC says https://datatracker.ietf.org/doc/html/rfc8252#section-8.3

While redirect URIs using localhost (i.e., "http://localhost:{port}/{path}") function similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather than localhost avoids inadvertently listening on network interfaces other than the loopback interface. It is also less susceptible to client-side firewalls and misconfigured host name resolution on the user's device.

@Dan Fraser please could you open a bug?

Like
Dan Fraser
Dan Fraser
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Oct 26, 2022 • edited

@M H , instead of raising a bug, I've done you one better.

I've patched the code to allow the port to be specified at runtime on 127.0.0.1 and the functionality should be available now in production. Note that the existing behaviour still works for localhost, as we have to continue supporting this. We have many consumers setup with localhost as their redirect_uri.

Can you test the functionality again, and confirm that your issue has been resolved? Thanks again for reaching out and bringing this to our attention!

Like
M H
M H Oct 27, 2022

Thanks @Dan Fraser that works now.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

See all events