Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

authentication using app password failing since 4 hours ago

Alan Casalboni
Alan Casalboni March 10, 2022

I'm using wget or cURL to download resources from bitbucket repositories.

Starting from March, 10th 6:00PM GMT I'm receiving this message:

Bitbucket Cloud recently stopped supporting account passwords for API authentication.
See our community post for more details: https://atlassian.community/t5/x/x/ba-p/1948231
App passwords are recommended for most use cases and can be created in your Personal settings:
https://bitbucket.org/account/settings/app-passwords/
For more details on API authentication methods see our documentation:
https://developer.atlassian.com/cloud/bitbucket/rest/intro/#authentication

even if using username (not email) + app password, both with Basic Authentication Header or username:apppassword  

app password has been created with all the available permissions checked.

 

Answer
Watch
Like villeviitaharju likes this
1151 views

5 answers

1 accepted

1 vote
Answer accepted
Alan Casalboni
Alan Casalboni March 11, 2022

actually resolved by changing the host from

https://bitbucket.org/company/repo/download/resource

to 

https://api.bitbucket.org/2.0/repositories/company/repo/download/resource

basic authentication still functional using api url.

Reply
0 votes
seth_reeser
seth_reeser April 20, 2022

Figured out how basic authentication still works through cURL, Wget or similar.

Use your username and then create an App password here: https://bitbucket.org/account/settings/app-passwords/

 

This was discovered by an API response with this message:

 

See our community post for more details: https://atlassian.community/t5/x/x/ba-p/1948231

App passwords are recommended for most use cases and can be created in your Personal settings:

https://bitbucket.org/account/settings/app-passwords/

For more details on API authentication methods see our documentation:

https://developer.atlassian.com/cloud/bitbucket/rest/intro/#authentication
Reply
0 votes
volkerrose
volkerrose April 12, 2022

There must have been a change in the basic auth authentication part of the API. As the others here also noted, requests via basic auth started failing for me in the last weeks.

The answer over at https://community.atlassian.com/t5/Bitbucket-questions/Re-How-use-List-Pull-Requests-API-with-App-Passwords-an/qaq-p/1971625/comment-id/79503#M79503 did give me the solution.

 

[...] to use app passwords in basic auth, the username you'd use is your Bitbucket username [...]

I was using my email address in combination with the app password before. As soon as I changed it to username plus app password the requests were successful again.

View More Comments
villeviitaharju
villeviitaharju April 12, 2022
I was using my email address in combination with the app password before. As soon as I changed it to username plus app password the requests were successful again.

Don't know if they fixed that already, but it didn't work with username or email when I last time answered this thread.

My original code was using username for that since the beginning. My current oauth method seems to be stable now also.

Like
Reply
0 votes
Alan Casalboni
Alan Casalboni March 11, 2022

seems that User-Agents "curl" and "wget" has been blacklisted

View More Comments
villeviitaharju
villeviitaharju March 11, 2022

Even postman throws you error if you have 'Authorization' header with 'Basic bearer' included. Without word 'Basic' we get HTML page.

User-agent doesn't seem to matter as it also has 'User-agent': 'PostmanRuntime/7.29.0'


Error we got in postman:

Error: Exceeded maxRedirects. Probably stuck in a redirect loop https://bitbucket.org/account/signin/?next=...

Like
Alan Casalboni
Alan Casalboni March 11, 2022

if you override User-Agent header set to 'curl' or 'wget' you will see the same error when using curl (or wget)

Like villeviitaharju likes this
villeviitaharju
villeviitaharju March 11, 2022

Good point, totally missed that one..

So other user agents just go to redirect loop while wget/curl show error (but are both broken).

Like Alan Casalboni likes this
Reply
0 votes
villeviitaharju
villeviitaharju March 11, 2022

Same issue here (using node request instead of curl, but same method with basic auth).

And when using CURL, it response shows app password error while using app password.

View More Comments
villeviitaharju
villeviitaharju March 11, 2022

Update:
Changed our code to use OAuth instead of basic auth.
So instead of one simple step, we had to do multiple steps to archieve the same results..

Like
Alan Casalboni
Alan Casalboni March 11, 2022

So using OAuth works?

Like
villeviitaharju
villeviitaharju March 11, 2022

Yep, OAuth works. But it is just much more work compared to basic auth.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events