Secure Authentication through curl POST for Bitbucket Server REST API Edited

I am using Bitbucket Server. I am trying to develop a peer review script that will push in-work feature branches to a personal server branch, open a pull request, and add some default reviewers. I am using curl to post my commands to the Bitbucket REST API. I can authorize using my username and password.

I am trying to improve the security of this process by using something better than username/password entered into my script. Is there any way to use OAuth, or some other public/private key pair authentication to validate a user through the REST API?

My script is currently written in BASH, and I am trying to keep it lightweight and portable. I cannot guarantee all our developers have powershell/Python installed.

I would expect my users to be authenticated through their web-browsers, but that does not seem to matter to curl.

2 answers

This widget could not be displayed.
Bruno Vincent Community Champion Sep 09, 2017

Hi Thomas,

You might want to take a look at our example scripts that use Kerberos authentication instead of hardcoded username and password:

If you don't feel like using PowerShell, Python or Groovy, you can easily adapt those scripts for simple curl commands as curl supports SPNEGO/Kerberos authentication since version 7.38.0.

Hope this helps!


Plugins are the only way to do this?

Bruno Vincent Community Champion Sep 11, 2017

If you want to use Kerberos authentication, yes you will need a plugin.

If you want to stick with OAuth, you should take a look at this nice blog post by Mibex Software:

Thanks Bruno. In order to set up OAuth, it looks like I will need to create a proxy service that runs parallel to bitbucket to link between a user's Bash calls and bitbucket, then link that application to bitbucket through the UI mentioned above. Instead of trying to make the REST calls directly from my Bash script, I will need to send a command to the proxy service. The proxy service will then authenticate with Bitbucket using OAuth, and all calls will go through this proxy.

If I create one central OAuth proxy on a server, I assume I still need to create one service account, and all REST API calls will use the service account to make changes, etc.

A much simpler alternative might be to create a service account with very strict permissions to allow modifying pull requests, and use this account credentials as a pseudo-public interface.

Bruno Vincent Community Champion Sep 12, 2017

"I assume I still need to create one service account, and all REST API calls will use the service account to make changes, etc."

Well, in the end the access token you get allows your script to perform actions on behalf of the user who was logged in Bitbucket and granted his permissions in the browser step. You might want your curl requests to be run under personal accounts (and not under a global service account).

This widget could not be displayed.


Kerberos authentication is the way to go then.

In our latest version for Bitbucket we added the option to enable Kerberos to the REST API.


Suggest an answer

Log in or Sign up to answer
Community showcase
Published Aug 21, 2018 in Bitbucket

Branch Management with Bitbucket

As a project manager, I have discovered that different developers want to bring their previous branching method with them when they join the team. Some developers are used to performing individual wo...

1,240 views 8 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you