Automatically generate and refresh OAuth 2.0 tokens in Bitbucket Data Center
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Bitbucket Data Center provides APIs that allow external services to access resources on a user’s behalf using the OAuth 2.0 protocol.
This article provides a script so users can generate and refresh OAuth tokens automatically. It works for Bitbucket 8.x onwards.
Solution
The content on this page relates to platforms that are supported; however, the content is out of the scope of our Atlassian Support Offerings. Consequently, Atlassian cannot guarantee support for it. Please be aware that this material is provided for your information only, and you may use it at your own risk.
This script serves as a base reference and can be customized and enhanced to meet specific user or project requirements.
The system administrator must update the following parameters in the script based on the configuration of the incoming application link:
Client ID and Client Secret
Redirect URI associated with the incoming application setup in the application link
Bitbucket Base URL used in the API endpoints
Steps to set up the automation
Deploy a simple web application that is accessible from the Bitbucket instance.
Register this web application as an Incoming Link using Bitbucket's Application Links feature.
During the creation of the incoming link, ensure that the application is granted the highest level of permissions.
Record the Client ID and Client Secret generated during this process for future reference.
Update the script and customise it as per your requirement. The system administrator must update the following parameters in the script based on the configuration of the incoming application link:
Client ID and Client Secret
Redirect URI associated with the incoming application setup in the application link
Bitbucket Base URL used in the API endpoints
Now, end users can run this script to generate their OAuth2 access tokens to authenticate on Bitbucket.
The OAuth token can easily be rotated every 2h using option b on the script. Refresh tokens may be used even after the
access_tokenitself expires.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/bin/bash
# Replace these with your OAuth consumer details
CLIENT_ID="daabcc9e57ef6421c747af429d08d52f"
CLIENT_SECRET="1055d8cb1396329d1f46f140c57559227c8d05f55b16b67fadd740689d06ba24"
REDIRECT_URI="http://localhost:8080/BitbucketApp/" # Example: http://localhost
AUTH_URL="http://localhost:7990/bitbucket/rest/oauth2/latest/authorize"
TOKEN_URL="http://localhost:7990/bitbucket/rest/oauth2/latest/token"
SCOPES="ADMIN_WRITE"
# Function to authorize access and get access token for the first time
oauth_access_token() {
echo "Step 1: Open the following URL in your browser and authorize access:"
echo ""
echo "${AUTH_URL}?client_id=${CLIENT_ID}&response_type=code&scope=${SCOPES}&redirect_uri=${REDIRECT_URI}&response_type=code"
echo ""
echo "After authorizing, you will be redirected to ${REDIRECT_URI}?code=YOUR_AUTH_CODE"
echo "Copy the 'code' from the URL and enter it below."
# User inputs the authorization code
read -p "Enter the authorization code: " AUTH_CODE
# Step 2: Exchange the authorization code for an access token
echo "Requesting access token..."
RESPONSE=$(curl --request POST --url \
"${TOKEN_URL}?client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&code=${AUTH_CODE}&grant_type=authorization_code&redirect_uri=${REDIRECT_URI}" \
--header 'Content-Type: application/x-www-form-urlencoded' )
# Extract the access token
ACCESS_TOKEN=$(echo $RESPONSE | grep -o '"access_token":"[^"]*' | cut -d'"' -f4)
REFRESH_TOKEN=$(echo $RESPONSE | grep -o '"refresh_token":"[^"]*' | cut -d'"' -f4)
if [[ -z "$ACCESS_TOKEN" ]]; then
echo "Failed to retrieve access token. Response: $RESPONSE"
exit 1
fi
echo "OAuth token generated successfully!"
echo "Access Token: $ACCESS_TOKEN"
echo "Refresh Token: $REFRESH_TOKEN"
}
# Function to generate access tokens using refresh tokens
oauth_refresh_token() {
# User inputs the refresh token
read -p "Enter the refresh token: " REFRESH_TOKEN
# Step 1: Run the refresh token API
echo "Requesting access token..."
RESPONSE=$(curl --request POST --url \
"${TOKEN_URL}?client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&refresh_token=${REFRESH_TOKEN}&grant_type=refresh_token&redirect_uri=${REDIRECT_URI}" \
--header 'Content-Type: application/x-www-form-urlencoded' )
# Extract the access token
ACCESS_TOKEN=$(echo $RESPONSE | grep -o '"access_token":"[^"]*' | cut -d'"' -f4)
REFRESH_TOKEN=$(echo $RESPONSE | grep -o '"refresh_token":"[^"]*' | cut -d'"' -f4)
if [[ -z "$ACCESS_TOKEN" ]]; then
echo "Failed to retrieve access token. Response: $RESPONSE"
exit 1
fi
echo "OAuth token generated successfully!"
echo "Access Token: $ACCESS_TOKEN"
echo "Refresh Token: $REFRESH_TOKEN"
}
# Check input arguments
if [[ $# -eq 0 ]]; then
echo "Usage: $0 -a | -b"
echo "Where -a: Authorise and generate OAUTH Token and -b: Use Refresh token to get new access token"
exit 1
fi
# Process options
while getopts "ab" opt; do
case $opt in
a) oauth_access_token ;;
b) oauth_refresh_token ;;
*) echo "Invalid option: -$OPTARG"; exit 1 ;;
esac
doneWas this helpful?