I am using Bitbucket Server. I am trying to develop a peer review script that will push in-work feature branches to a personal server branch, open a pull request, and add some default reviewers. I am using curl to post my commands to the Bitbucket REST API. I can authorize using my username and password.
I am trying to improve the security of this process by using something better than username/password entered into my script. Is there any way to use OAuth, or some other public/private key pair authentication to validate a user through the REST API?
My script is currently written in BASH, and I am trying to keep it lightweight and portable. I cannot guarantee all our developers have powershell/Python installed.
I would expect my users to be authenticated through their web-browsers, but that does not seem to matter to curl.
Thomas,
Kerberos authentication is the way to go then.
In our latest version for Bitbucket we added the option to enable Kerberos to the REST API.
-Lars
Hi Thomas,
You might want to take a look at our example scripts that use Kerberos authentication instead of hardcoded username and password: https://www.cleito.com/products/iwaac/documentation/integrated-windows-authentication-for-non-browser-clients/
If you don't feel like using PowerShell, Python or Groovy, you can easily adapt those scripts for simple curl commands as curl supports SPNEGO/Kerberos authentication since version 7.38.0.
Hope this helps!
Bruno
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Plugins are the only way to do this?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you want to use Kerberos authentication, yes you will need a plugin.
If you want to stick with OAuth, you should take a look at this nice blog post by Mibex Software: https://medium.com/mibexsoftware/how-to-use-oauth-with-atlassian-products-c0f357ae91eb
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Bruno. In order to set up OAuth, it looks like I will need to create a proxy service that runs parallel to bitbucket to link between a user's Bash calls and bitbucket, then link that application to bitbucket through the UI mentioned above. Instead of trying to make the REST calls directly from my Bash script, I will need to send a command to the proxy service. The proxy service will then authenticate with Bitbucket using OAuth, and all calls will go through this proxy.
If I create one central OAuth proxy on a server, I assume I still need to create one service account, and all REST API calls will use the service account to make changes, etc.
A much simpler alternative might be to create a service account with very strict permissions to allow modifying pull requests, and use this account credentials as a pseudo-public interface.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
"I assume I still need to create one service account, and all REST API calls will use the service account to make changes, etc."
Well, in the end the access token you get allows your script to perform actions on behalf of the user who was logged in Bitbucket and granted his permissions in the browser step. You might want your curl requests to be run under personal accounts (and not under a global service account).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.