Unable to download files using OAuth

Mickaël PERRIN August 10, 2016
Hi,
I experience problems while using `composer` to retrieve some packages hosted on bitbucket. I got an error that I should authenticate through OAuth.
I created an Oauth account named 'Composer' associated with my account with read permissions. Say, I got those secret / keys:
URL: http://fakeURL.com
Clef: KEY
Secret: SECRET

Adding those credentials in composer with `composer config -g bitbucket-oauth.bitbucket.org KEY SECRET`didn't help as it fails with another error. Even trying to download through curl requests fails.

For example:

> TOKEN=$(curl -X POST -u "KEY:SECRET" https://bitbucket.org/site/oauth2/access_token -d grant_type=client_credentials | awk '{print $2}' | sed -r "s/\"(.*)\",/\1/")
Authentication through headers
> curl -L -o /dev/null -v -H "Authorization: Bearer $TOKEN" "https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2"
*   Trying 104.192.143.1...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to bitbucket.org (104.192.143.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3137 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=3928449; street=1098 Harrison Street; postalCode=94103; C=US; ST=CA; L=San Francisco; O=Atlassian, Inc.; CN=bitbucket.org
*  start date: May  3 00:00:00 2016 GMT
*  expire date: Jun 22 12:00:00 2018 GMT
*  subjectAltName: host "bitbucket.org" matched cert's "bitbucket.org"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify ok.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0} [5 bytes data]
> GET /ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2 HTTP/1.1
> Host: bitbucket.org
> User-Agent: curl/7.50.0
> Accept: */*
> Authorization: Bearer HIDDEN_BEARER
>
{ [5 bytes data]
< HTTP/1.1 403 FORBIDDEN
< Server: nginx/1.6.2
< Vary: Accept-Language, Cookie
< Content-Type: text/plain; charset=utf-8
< X-OAuth-Scopes: project, account
< Strict-Transport-Security: max-age=31536000
< Date: Wed, 10 Aug 2016 10:43:25 GMT
< X-Served-By: app-104
< Content-Language: fr
< X-Static-Version: 89c5b48218a9
< ETag: "d983e5fda8077baf9bf8113ca068df49"
< X-Render-Time: 0.0286500453949
< Connection: keep-alive
< X-Version: 89c5b48218a9
< X-Request-Count: 442
< X-Frame-Options: SAMEORIGIN
< Content-Length: 57
<
{ [57 bytes data]
100    57  100    57    0     0    111      0 --:--:-- --:--:-- --:--:--   118
* Connection #0 to host bitbucket.org left intact
Authentication through url param

> * Rebuilt URL to: GET/
* getaddrinfo(3) failed for GET:80
* Couldn't resolve host 'GET'
* Closing connection 0
curl: (6) Couldn't resolve host 'GET'
*   Trying 104.192.143.1...
* Connected to bitbucket.org (104.192.143.1) port 443 (#1)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=3928449; street=1098 Harrison Street; postalCode=94103; C=US; ST=CA; L=San Francisco; O=Atlassian, Inc.; CN=bitbucket.org
*  start date: May  3 00:00:00 2016 GMT
*  expire date: Jun 22 12:00:00 2018 GMT
*  subjectAltName: host "bitbucket.org" matched cert's "bitbucket.org"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify ok.
> GET /ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2?access_token=HIDDEN_TOKEN HTTP/1.1
> Host: bitbucket.org
> User-Agent: curl/7.50.0
> Accept: */*
>
< HTTP/1.1 403 FORBIDDEN
< Server: nginx/1.6.2
< Vary: Accept-Language, Cookie
< Cache-Control: max-age=900
< Content-Type: text/plain; charset=utf-8
< X-OAuth-Scopes: project, account
< Strict-Transport-Security: max-age=31536000
< Date: Wed, 10 Aug 2016 10:44:43 GMT
< X-Served-By: app-124
< Content-Language: fr
< X-Static-Version: 89c5b48218a9
< ETag: "d983e5fda8077baf9bf8113ca068df49"
< X-Render-Time: 0.0477077960968
< Connection: keep-alive
< X-Version: 89c5b48218a9
< X-Request-Count: 396
< X-Frame-Options: SAMEORIGIN
< X-Cache-Info: caching
< Content-Length: 57
<
* Connection #1 to host bitbucket.org left intact
This endpoint does not support token-based authentication%
Any hints to resolve this issue ?
Thanks,

1 answer

0 votes
berlinger-rarents September 28, 2016

Here is Mickaël's related issue on the composer issue list:

https://github.com/composer/composer/issues/5584

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events