Access Tokens no longer work as expected after upgrading Bitbucket Data Center

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

After upgrading Bitbucket Data Center from 8.9.21, 8.19.11, 9.3.1, or older to 8.9.22, 8.19.12, 9.3.2 or newer, access tokens no longer work as expected. For instance, requests sent using tokens might result in these requests being redirected to the login page, or the request may result in an 401 Unauthorized response, potentially leading to accounts being blocked and requiring a captcha to be cleared.

Environment

  • Bitbucket Data Center 8.9.22, 8.19.12, 9.3.2 or newer

  • The path of the request URL does not start with /rest or /scm

Diagnosis

When sending an HTTP request (for instance programmatically or using curl or wget) to a Bitbucket Data Center URL that is not handled by the REST API or SCM operations (i.e. the path of the URL does not start with /rest or /scm) and providing an access token as a credential for the request, the response from Bitbucket Data Center is unexpected:

  • If the access token is provided in the Authorization header, the response carries the 302 Found status code and has a Location header that contains the URL to the login page of Bitbucket Data Center.

  • If Basic authentication is used and the access token is provided instead of the user's password, the response carries the 401 Unauthorized status code. Sending such requests repeatedly can lead to the account used being locked and requiring a captcha to be cleared.

Cause

This is the expected behaviour starting with Bitbucket Data Center 8.9.22, 8.19.12 and 9.3.2. In order to address the bug, BSERV-19859 - Access Tokens can be used to access endpoints that they shouldn't be allowed to, access tokens can now only be used for requests to REST API endpoints and for SCM operations, i.e. they can only be used for requests to URLs whose path begins with /rest or /scmNote: if you are using Bitbucket Data Center with a context root, that context root is prefixed, so access tokens can only be used for requests to URLs whose path begins with /<context root>/rest or /<context root>/scm.

Solution

As a workaround, refer to the Bitbucket Data Center REST API reference to see if there is a REST API endpoint available and use that instead. Otherwise, if you cannot use the REST API and wish to continue sending requests as before, use Basic authentication with a password instead of access tokens. 

Updated on March 18, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community