Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

API Authentication Help

Jason Crosby
Jason Crosby September 16, 2015

I am new to the Bitbucket API and Oauth in general. I have been reading the Bitbucket docs and https://tools.ietf.org/html/rfc6749 to take in as much as I can. I'm still a little confused and running into a problem so I want to make sure my workflow is correct. Here is how I am attempting authorization:

  1. Make a GET request to https://bitbucket.org/site/oauth2/authorize?client_id=consumerKey&response_type=code which returns a successful response and I get in the header this entry "Set-Cookie: csrftoken=authToken; expires=Wed, 14-Sep-2016 16:56:08 GMT; Max-Age=31449600; Path=/; secure".
  2. I take the value for csrftoken in the Set-Cookie header and plug it into a POST request to https://consumerKey:consumerSecret@bitbucket.org/site/oauth2/access_token?grant_type=authorization_code&code=csrftokenValue which should return the access token I need to make API requests.

Is this flow correct? And if it is I get a code 400 bad request error when I make request number 2. I also thought maybe the value for csrftoken in the first request was the token I needed to make requests and added a header value of "Authorization": "Bearer csrftokenValue" but that wasn't working either. I know I am probably missing something obvious but in my limited experience I'm not sure what it is. Please let me know the appropriate workflow and let me know if there is anything missing.

 

Watch
Like Be the first to like this
211 views

1 answer

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
Answer accepted
Kaz
Kaz September 16, 2015

You must first redirect your user's browser to the URL at step 1. The browser will get a redirect response after the user's authorization and should redirect to the page specified in the Location header. You will get an authorization code as request parameter code at the location. Your application then perform step 2 with the authorization code. The point is step 1 is performed by your user's browser and step 2 by your application. The cookie is not relevant to the OAuth procedure itself. If you are implementing OAuth authorization yourself, I would advise the use of any existing OAuth library instead.

View More Comments
Jason Crosby
Jason Crosby September 16, 2015

I'm building an app where when certain exceptions occur I want to automagically have a ticket created and the users of the app are not required to have a bitbucket account. Is there a way I can do it without any user interaction?

Like
Kaz
Kaz September 16, 2015

I though the Bitbucket issue tracker can be configured to accept guest submission. Is it acceptable? Or You might be able to use OAuth 2.0 Client Credentials Grant https://tools.ietf.org/html/rfc6749#section-4.4 that doesn't require user authorization, but Bitbucket might not support that grant type.

Like
Reply
Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events