Unable to download files using OAuth

Hi,
I experience problems while using `composer` to retrieve some packages hosted on bitbucket. I got an error that I should authenticate through OAuth.
I created an Oauth account named 'Composer' associated with my account with read permissions. Say, I got those secret / keys:
URL: http://fakeURL.com
Clef: KEY
Secret: SECRET

Adding those credentials in composer with `composer config -g bitbucket-oauth.bitbucket.org KEY SECRET`didn't help as it fails with another error. Even trying to download through curl requests fails.

For example:

> TOKEN=$(curl -X POST -u "KEY:SECRET" https://bitbucket.org/site/oauth2/access_token -d grant_type=client_credentials | awk '{print $2}' | sed -r "s/\"(.*)\",/\1/")
Authentication through headers
> curl -L -o /dev/null -v -H "Authorization: Bearer $TOKEN" "https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2"
*   Trying 104.192.143.1...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to bitbucket.org (104.192.143.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3137 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=3928449; street=1098 Harrison Street; postalCode=94103; C=US; ST=CA; L=San Francisco; O=Atlassian, Inc.; CN=bitbucket.org
*  start date: May  3 00:00:00 2016 GMT
*  expire date: Jun 22 12:00:00 2018 GMT
*  subjectAltName: host "bitbucket.org" matched cert's "bitbucket.org"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify ok.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0} [5 bytes data]
> GET /ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2 HTTP/1.1
> Host: bitbucket.org
> User-Agent: curl/7.50.0
> Accept: */*
> Authorization: Bearer HIDDEN_BEARER
>
{ [5 bytes data]
< HTTP/1.1 403 FORBIDDEN
< Server: nginx/1.6.2
< Vary: Accept-Language, Cookie
< Content-Type: text/plain; charset=utf-8
< X-OAuth-Scopes: project, account
< Strict-Transport-Security: max-age=31536000
< Date: Wed, 10 Aug 2016 10:43:25 GMT
< X-Served-By: app-104
< Content-Language: fr
< X-Static-Version: 89c5b48218a9
< ETag: "d983e5fda8077baf9bf8113ca068df49"
< X-Render-Time: 0.0286500453949
< Connection: keep-alive
< X-Version: 89c5b48218a9
< X-Request-Count: 442
< X-Frame-Options: SAMEORIGIN
< Content-Length: 57
<
{ [57 bytes data]
100    57  100    57    0     0    111      0 --:--:-- --:--:-- --:--:--   118
* Connection #0 to host bitbucket.org left intact
Authentication through url param

> * Rebuilt URL to: GET/
* getaddrinfo(3) failed for GET:80
* Couldn't resolve host 'GET'
* Closing connection 0
curl: (6) Couldn't resolve host 'GET'
*   Trying 104.192.143.1...
* Connected to bitbucket.org (104.192.143.1) port 443 (#1)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=3928449; street=1098 Harrison Street; postalCode=94103; C=US; ST=CA; L=San Francisco; O=Atlassian, Inc.; CN=bitbucket.org
*  start date: May  3 00:00:00 2016 GMT
*  expire date: Jun 22 12:00:00 2018 GMT
*  subjectAltName: host "bitbucket.org" matched cert's "bitbucket.org"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify ok.
> GET /ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2?access_token=HIDDEN_TOKEN HTTP/1.1
> Host: bitbucket.org
> User-Agent: curl/7.50.0
> Accept: */*
>
< HTTP/1.1 403 FORBIDDEN
< Server: nginx/1.6.2
< Vary: Accept-Language, Cookie
< Cache-Control: max-age=900
< Content-Type: text/plain; charset=utf-8
< X-OAuth-Scopes: project, account
< Strict-Transport-Security: max-age=31536000
< Date: Wed, 10 Aug 2016 10:44:43 GMT
< X-Served-By: app-124
< Content-Language: fr
< X-Static-Version: 89c5b48218a9
< ETag: "d983e5fda8077baf9bf8113ca068df49"
< X-Render-Time: 0.0477077960968
< Connection: keep-alive
< X-Version: 89c5b48218a9
< X-Request-Count: 396
< X-Frame-Options: SAMEORIGIN
< X-Cache-Info: caching
< Content-Length: 57
<
* Connection #1 to host bitbucket.org left intact
This endpoint does not support token-based authentication%
Any hints to resolve this issue ?
Thanks,

1 answer

Here is Mickaël's related issue on the composer issue list:

https://github.com/composer/composer/issues/5584

Suggest an answer

Log in or Join to answer
Community showcase
Piotr Plewa
Published Dec 27, 2017 in Bitbucket

Recipe: Deploying AWS Lambda functions with Bitbucket Pipelines

Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda&nbsp...

654 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot