Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bitbucket CMS Backend #280

Open
jimafisk opened this issue Apr 22, 2023 · 3 comments
Open

Bitbucket CMS Backend #280

jimafisk opened this issue Apr 22, 2023 · 3 comments
Labels
cms Git-backed content editing enhancement New feature or request

Comments

@jimafisk
Copy link
Member

Bitbucket has OAuth that supports PKCE flow: https://confluence.atlassian.com/bitbucketserver/bitbucket-oauth-2-0-provider-api-1108483661.html

Bitbucket's commit API: https://developer.atlassian.com/cloud/bitbucket/rest/api-group-source/#api-repositories-workspace-repo-slug-src-post

@jimafisk jimafisk added enhancement New feature or request cms Git-backed content editing labels Jun 1, 2023
@jimafisk
Copy link
Member Author

jimafisk commented Nov 11, 2024

When requesting the access token, the following was being thrown in the console: Error: Unsupported grant type: None

This answer from Guy Ludvig on the Atlassian community forum seemed to solve this issue:

BitBucket is not expecting JSon but FormUrl so simply use FormUrlEncodedContent

So I needed to modify getting the access_token to look like this:

const requestAccessToken = async code => {
    const { access_token_endpoint, server, redirectUrl, appId } = settings;
    const params = new URLSearchParams({
        client_id: appId,
        code: code,
        grant_type: 'authorization_code',
        redirect_uri: redirectUrl,
        code_verifier: codeVerifier
    });
    const response = await fetch(server + access_token_endpoint, {
            method: 'POST',
            headers: {
                "Content-Type": "application/x-www-form-urlencoded"
            },
            body: params.toString()
        }
    );
    const tokens = await response.json();
    if (tokens.error) {
        throw new Error(tokens.error_description);
    }
    tokenStore.set(tokens);
};

Then I started getting Error: Client credentials missing; this request needs to be authenticated with the OAuth client id and secret

If I hardcoded a client_secret (which we don't want to do in a public client) it does work and you can login successfully:

const params = new URLSearchParams({
        scope: 'repository:write',
        client_secret: 'my-actual-client-secret-from-https://bitbucket.org/jantcu/workspace/settings/api',
        client_id: appId,
        code: code,
        grant_type: 'authorization_code',
        redirect_uri: redirectUrl,
        code_verifier: codeVerifier
    });

So I think the problem is there's a distinction that needs to be made here. There are 2 separate Atlassian products:

  1. Bitbucket Cloud (this is what runs on bitbucket.org)
  2. Bitbucket Server (end-of-life Feb, 2024 - see this article)

That makes sense why the documentation was saying the endpoints were:

authorization_endpoint = "/rest/oauth2/latest/authorize";
access_token_endpoint = "/rest/oauth2/latest/token";

when in reality they are:

authorization_endpoint = "/site/oauth2/authorize";
access_token_endpoint = "/site/oauth2/access_token";

I thought the documentation was just out of date, but I was referring to "Server" docs but trying to use the "Cloud" product.

See this Stackoverflow answer from an Atlassian employee daveruinseverything:

Whilst your question is about Bitbucket Cloud, the article you linked is for Atlassian's self-hosted source control tool Bitbucket Server. They have different functionality for different use cases, which is why they don't look the same.

Brandon G on the Atlassian community forum has the same problem as us where the client_secret is required even if using PKCE (which shouldn't require the secret). Patrick S points out on that thread:

I'm afraid the documentation you linked is for Bitbucket Server and not Bitbucket Cloud.
The Bitbucket Cloud API does not currently offer the Proof Key for Code Exchange (PKCE) so this is the reason why you are receiving that error.

So it sounds like PKCE isn't supported on BitBucket Cloud after all. It looks like NetlifyCMS/Decap is actually using "Implicit Grant" for BitBucket:

https://github.com/decaporg/decap-cms/blob/51eb7e831e9b587faed62314c4397b2966a8eefe/packages/decap-cms-backend-bitbucket/src/AuthenticationPage.js#L28

@jimafisk
Copy link
Member Author

jimafisk commented Nov 11, 2024

@jimafisk
Copy link
Member Author

I'm going to put this feature on hold until Bitbucket adds the PKCE grant type to their OAuth workflow.

If you'd like to see Bitbucket support implemented, please go to the feature request for this (https://jira.atlassian.com/browse/BCLOUD-23469) and

  1. Sign in and click the "vote for this issue" link in the right sidebar
  2. Leave a comment at the bottom expressing how this would be helpful for you

Thanks!

jimafisk added a commit that referenced this issue Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cms Git-backed content editing enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant