Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Unable to use refresh token without supplying credentials

I'm using PowerShell. I can successfully obtain an access token and refresh token by hitting https://bitbucket.org/site/oauth2/access_token with my OAuth client ID/key and secret from "https://bitbucket.org/[team]/workspace/settings/api".

However, I can't exchange the refresh token for a new access token. I am getting the following error:

"Client credentials missing; this request needs to be authenticated with the OAuth client id and secret"

This can only be a bug, because the whole point of refresh tokens is that you don't need to store the actual credentials (in this case OAuth consumer id/key and secret) in the meantime.

I have seen this:

$ curl -X POST -u "client_id:secret"
  https://bitbucket.org/site/oauth2/access_token \
  -d grant_type=refresh_token -d refresh_token={refresh_token}

But I think that needs expanding, because it's unclear whether I need to put the text "client_id:secret" as the user part, or substitute either "client_id" and/or "secret" for some other value, and if so, what.

I've tried using PowerShell's `Invoke-RestMethod` passing the client ID and refresh token both in the body and as the credentials and neither works. I must be doing something wrong.

At this point my only recourse is going to be to store the OAuth client ID/key and secret in Windows Credential manager and ask for a new access token every time I need one, and throw away the refresh tokens.

1 answer

0 votes

Hello @nbarnwell ,

You didn't mention that, but it seems that your'e using Client Credentials Grant scheme and essentially authenticating with OAuth to access data of the very same workspace which owns the OAuth consumer and not involving any end-user. In such case – yes, refresh token doesn't make much sense.

However, as I mentioned in our conversation in another Community question, there are other use cases where refresh token is a per end-user secret which allows the OAuth consumer, provided that end-user gave their consent, to access data of that user or even act on behalf of that user (impersonate them) in Bitbucket. The end-user can revoke such refresh token associated with their account at any time, so they are always in control of what OAuth consumer can do.

Let me know if you have any questions.

Cheers,
Daniil

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

New improvements to user management in Bitbucket Cloud 👥

Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...

3,717 views 10 16
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you