Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Secure Authentication through curl POST for Bitbucket Server REST API

Deleted user September 8, 2017

I am using Bitbucket Server. I am trying to develop a peer review script that will push in-work feature branches to a personal server branch, open a pull request, and add some default reviewers. I am using curl to post my commands to the Bitbucket REST API. I can authorize using my username and password.

I am trying to improve the security of this process by using something better than username/password entered into my script. Is there any way to use OAuth, or some other public/private key pair authentication to validate a user through the REST API?

My script is currently written in BASH, and I am trying to keep it lightweight and portable. I cannot guarantee all our developers have powershell/Python installed.

I would expect my users to be authenticated through their web-browsers, but that does not seem to matter to curl.

Answer
Watch
Like Be the first to like this
2108 views

2 answers

0 votes
Lars Olav Velle
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 9, 2017

Thomas, 

Kerberos authentication is the way to go then.

In our latest version for Bitbucket we added the option to enable Kerberos to the REST API.

https://marketplace.atlassian.com/plugins/no.kantega.kerberosauth.kerberosauth-plugin.stash/server/overview

-Lars

Reply
0 votes
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 9, 2017

Hi Thomas,

You might want to take a look at our example scripts that use Kerberos authentication instead of hardcoded username and password: https://www.cleito.com/products/iwaac/documentation/integrated-windows-authentication-for-non-browser-clients/

If you don't feel like using PowerShell, Python or Groovy, you can easily adapt those scripts for simple curl commands as curl supports SPNEGO/Kerberos authentication since version 7.38.0.

Hope this helps!

Bruno

View More Comments
Deleted user September 11, 2017

Plugins are the only way to do this?

Like
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 11, 2017

If you want to use Kerberos authentication, yes you will need a plugin.

If you want to stick with OAuth, you should take a look at this nice blog post by Mibex Software: https://medium.com/mibexsoftware/how-to-use-oauth-with-atlassian-products-c0f357ae91eb

Like
Deleted user September 12, 2017

Thanks Bruno. In order to set up OAuth, it looks like I will need to create a proxy service that runs parallel to bitbucket to link between a user's Bash calls and bitbucket, then link that application to bitbucket through the UI mentioned above. Instead of trying to make the REST calls directly from my Bash script, I will need to send a command to the proxy service. The proxy service will then authenticate with Bitbucket using OAuth, and all calls will go through this proxy.

If I create one central OAuth proxy on a server, I assume I still need to create one service account, and all REST API calls will use the service account to make changes, etc.

A much simpler alternative might be to create a service account with very strict permissions to allow modifying pull requests, and use this account credentials as a pseudo-public interface.

Like
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 12, 2017

"I assume I still need to create one service account, and all REST API calls will use the service account to make changes, etc."

Well, in the end the access token you get allows your script to perform actions on behalf of the user who was logged in Bitbucket and granted his permissions in the browser step. You might want your curl requests to be run under personal accounts (and not under a global service account).

Like
Deleted user September 13, 2017

Thanks!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events