Bitbucket throws XSRF token validation failed error during OAuth connection

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

On attempting to establish an OAuth connection with Bitbucket, the following error is received after clicking the 'Accept' button:

(Auto-migrated image: description temporarily unavailable)

Error Text

1
2

Welcome to Bitbucket
Xsrf token validation failed

Environment

Bitbucket Server/Data Center
Third-party plugins have been installed

Diagnosis

On first being directed to Bitbucket, if you open Chrome Developer Tools (F12) → Network → authorize?oauth_callback... and review the Response Headers section, the following cookie should be getting set:

However - instead, the following cookies are the only ones present when the request is submitted to Bitbucket on hitting the 'approve' button:

          "cookies": [
            {
              "name": "BITBUCKETSESSIONID",
              "value": "REALLYLONGHEXADECIMALSTRING",
              "expires": null,
              "httpOnly": false,
              "secure": false
            },
            {
              "name": "_atl_bitbucket_remember_me",
              "value": "ANOTHERREALLYLONGRANDOMSTRING",
              "expires": null,
              "httpOnly": false,
              "secure": false
            },
            {
              "name": "wit-announce-token",
              "value": "REALLYLONGHEXADECIMALSTRING-BUT-THIS-TIME-WITH-DASHES",
              "expires": null,
              "httpOnly": false,
              "secure": false
            }
          ],

Cause

The expected atl.xsrf.token cookie is not being set due to an installed third-party plugin that is removing the cookie or blocking it from being set in the first place.

In previously seen instances of this issue, the following plugins have resulted in this issue:

Name	Vendor	Version	Plugin Key
`Announcer for Bitbucket`	Wittified Atlassian Add-Ons (An Appfire Company)	3.5	`com.wittified.atl-announcer-stash`

Solution

Attempt to disable the faulting plugin, and see if the issue can still be reproduced. If the issue is resolved, it's recommended to check the offending plugin to see if any upgrades are available, or to reach out to the support resources for this plugin listed on the Atlassian Marketplace.

If your team is unsure which plugin could be causing the issue, it's recommended to try enabling 'Safe Mode' and then to try reproducing the issue using the following steps:

Performing these steps will temporarily disable all user-installed plugins within the Bitbucket server instance

Navigate to Administration > Add-ons > Manage add-ons.
Click on the Enter safe mode link at the bottom of the page.
Click on Enter safe mode when you are prompted to confirm the operation.
Attempt to reproduce the issue in question.
When finished, you can exit safe mode by clicking on Exit Safe Mode and restore the previous configuration back on the Manage add-ons page.

Updated on April 15, 2025

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Atlassian Support