Issue with Client Credentials authentication

[marklagendijk]

Is the authentication method Client Authentication Grant supported?

I found several references to it in the code, but I did not figure out how to use it successfully.
I tried using:

bitbucket.authenticate({
        type: 'oauth',
        key: key,
        secret: secret
})

But this sets key and secret as query param, which is not correct (I don't see it mentioned anywhere in on the Authentication page): https://api.bitbucket.org/2.0/repositories/my-user/my-repo/commit/c0f212a586f0cf6be721f39acd334e9f4cdc9c48/statuses/build?client_id=****&client_secret=****

I also found the clientCredentialsGrant mentioned in src/plugins/oauth/routes.js, but this plugin is not hooked up in src/index.js and I'm not sure if / how it is supposed to be used.

[MunifTanjim]

Sorry for the confusion.

I tried to add support for oauth at the beginning. But never actually got around to make it work. That's why it's not mentioned in the README file.

This is the main file where it was added: /src/plugins/authentication/before-request.js

I also found the clientCredentialsGrant mentioned in src/plugins/oauth/routes.js, but this plugin is not hooked up in src/index.js and I'm not sure if / how it is supposed to be used.

src/plugins/oauth is only there for anyone who's interested to implement and test it. It's just an initial draft and not yet implemented in the library. Supporting oauth in the library is very much doable, but my understanding of the Bitbucket's oauth flow is not very clear. So, I'll need help from someone who understands Bitbucket's oauth flow better than me.

[ghost]

I was not able to use oauth either but I was able to work with

bitbucket.authenticate({
  type: 'basic',
  username: 'yourusername',
  password: 'app password'
});

App password need to be generated in Bitbucket, you should get it from a config out of the source file and protect it but it's a password that you can use in a script / tool without exposing your main password. You can set access/ permission too wich is really preferable considering that you can do quite a lot of things with the api!

Off-topic:

Thanks for the lib.

I have started to learn/use Pipelines but I had a major block as our dev server is behind a firewall and there would be quite a few hoops to jump to implement something like a callback url or a api. I thought about it and I'm currently working on a small proof of concept using slack api so that Bitbucket Cloud would send a message like "at-bot Deploy version x,y.z to dev" on slack app channel, my bot-server (connected to slack using RTM api) would receive and parse the message, use Bibucket NPM to resolve the url and download the file to complete the deploy and report back the results to the channel. It could also help me implement some kind of user friendly self-service with our QA server... ex. at-bot list-latest releases, at-bot deploy x.y.z to QA. It looks promising so far except, most of the work will be to parse the messages and recognize a basic list of patterns / commands.

I have tried to get a test file using bitbucket.downloads.get (as the file is also in private repo) but I get a 500 error from Bitbucket Cloud... going to sleep, I'll check that again tomorrow.

[precious-void]

@MunifTanjim @eric-gagnon
Hey, everyone. I'm experiencing the same issues @eric-gagnon has with OAuth Consumer authentication using key and secret.
According to Bitbucket guide and docs here on how to work with OAuth, firstly we should get access_token and refresh_token first, so after that we can use it to authenticate requests.

Another noticeable thing is that access_token expires in two hours. So we will need to refresh it.

According to what I've written above, I think we need to implement to new methods — retrieveAccessToken and refreshAccessToken.

@MunifTanjim waiting for your approval about my statements, also thanks for lib, really cool 😃

If you don't mind, I'd like to implement them!

[precious-void]

Hey, guys, I have done a draft for what @MunifTanjim started with auth strategies. It's a draft, that's why structure is not justified yet. But the main functionality is implemented. Would be happy if someone would help me to finish it.

Related PR #78

[weilinzung]

Any updates on the authentication PR? thanks!

Also, Bitubkcet is deprecating basic auth for API requests. App password won't work because scopes are required for API requests. I think we can only use OAuth(access token), and the access token would be expired which we need a way to refresh it as well.

You are receiving this email because our logs have indicated that you have recently used your account password when using Basic authentication with
--
•user dependent: [Git over HTTPS, Bitbucket API, or both (Git over HTTPS and Bitbucket API)] | • | user dependent: [Git over HTTPS, Bitbucket API, or both (Git over HTTPS and Bitbucket API)]
• | user dependent: [Git over HTTPS, Bitbucket API, or both (Git over HTTPS and Bitbucket API)]
Beginning March 1, 2022, you will no longer be able to use your Atlassian account password when using Basic authentication with the Bitbucket API or Git over HTTPS. For security reasons, we require all users to use Bitbucket app passwords.

[USSliberty]

Any updates on the authentication PR? thanks!

Also, Bitubkcet is deprecating basic auth for API requests. App password won't work because scopes are required for API requests. I think we can only use OAuth(access token), and the access token would be expired which we need a way to refresh it as well.

You are receiving this email because our logs have indicated that you have recently used your account password when using Basic authentication with
--
•user dependent: [Git over HTTPS, Bitbucket API, or both (Git over HTTPS and Bitbucket API)] | • | user dependent: [Git over HTTPS, Bitbucket API, or both (Git over HTTPS and Bitbucket API)]
• | user dependent: [Git over HTTPS, Bitbucket API, or both (Git over HTTPS and Bitbucket API)]
Beginning March 1, 2022, you will no longer be able to use your Atlassian account password when using Basic authentication with the Bitbucket API or Git over HTTPS. For security reasons, we require all users to use Bitbucket app passwords.

Hello @weilinzung !
I am currently using Basic Authentication with app password with no issues for open/close PRs via API. I received that email too and they also say: "[...] You will need to ensure you update these stored credentials with an app password before March 1, 2022 in order to continue using Basic authentication with the Bitbucket API and/or Git over HTTPS without disruption."

So if you are using an app password with a Basic Authentication you should not be worried :)

[Style87]

I'm using an app password generated on my account. I'm passing

auth: {
  type: 'apppassword',
  username: account,
  password: apppassword
}

I get a 401 error response

  error: 'Bitbucket Cloud recently stopped supporting account passwords for API authentication.\n' +
    'See our community post for more details: https://atlassian.community/t5/x/x/ba-p/1948231\n' +
    'App passwords are recommended for most use cases and can be created in your Personal settings:\n' +
    'https://bitbucket.org/account/settings/app-passwords/\n' +
    'For more details on API authentication methods see our documentation:\n' +
    'https://developer.atlassian.com/cloud/bitbucket/rest/intro/#authentication\n',

Should I be worried now?

[USSliberty]

I'm using an app password generated on my account. I'm passing

auth: {
  type: 'apppassword',
  username: account,
  password: apppassword
}

I get a 401 error response

  error: 'Bitbucket Cloud recently stopped supporting account passwords for API authentication.\n' +
    'See our community post for more details: https://atlassian.community/t5/x/x/ba-p/1948231\n' +
    'App passwords are recommended for most use cases and can be created in your Personal settings:\n' +
    'https://bitbucket.org/account/settings/app-passwords/\n' +
    'For more details on API authentication methods see our documentation:\n' +
    'https://developer.atlassian.com/cloud/bitbucket/rest/intro/#authentication\n',

Should I be worried now?

I am currently using this configuration, and no problems at the moment, with an app password.
I had a repo that was using a real user password and I indeed had the problem you are facing, but once I substituted the password all the thing were working again.

    const clientOptions = {
        auth: {
            username: process.env.BB_AUTH_USER,
            password: process.env.BB_AUTH_PWD
        },
    };
    
    const bitbucket = new Bitbucket(clientOptions);
    const pullRequest = await bitbucket.pullrequests.create({
        _body: TEMPLATE_PULL_REQUEST,
        workspace: process.env.BITBUCKET_REPO_OWNER,
        repo_slug: process.env.BITBUCKET_REPO_SLUG
    });

[Style87]

I have discovered the issue. While I have a nearly identical code setup I was still getting the 401 error while using the generated app password. I was using the account email as username as that's what I login with through the web. However, after switching the username value to the actual username of the account everything works.

[bviebahn]

Having the same problem. I can't authenticate using an app password or API token.

const bitbucketClient = new bitbucket.Bitbucket({
  auth: {
    type: "apppassword",
    username: "my name",
    password: "my app password"
  },
});

const pullRequests = await bitbucketClient.pullrequests.list({
  repo_slug: "repo-slug",
  workspace: "workspace",
});

I also tried my email and the app passwords label as username, but no success. I always get an Unauthorized error with message 'Access token expired.'.

I also tried to use token authentication using a token generated here: https://id.atlassian.com/manage-profile/security/api-tokens.
But I'm getting the same error. Any help is appreciated.

edit: sorry, my mistake. I tried to enter my Full name as username. The username that works can be found under 'Account Settings'.