How to manipulate Bitbucket repository with token?

20
votes

I followed this documentation to get a token value and a token secret from bitbucket:
https://confluence.atlassian.com/display/BITBUCKET/OAuth+on+Bitbucket

After that I want to push/pull to a given repo by using that token.

At Github I can use the token like this way: https://help.github.com/articles/git-automation-with-oauth-tokens#step-2-clone-a-repository

My question is how can I use this kind of http authorization at bitbucket (mercurial/git)?

5
gitoauthmercurialbitbucket
Since June 2015, this seems officially supported. I have edited my answer below accordingly.VonC

5 Answers

35
votes

I used an App password which I created from the Bitbucket Cpanel under Settings -> Access management (sidebar) -> App Passwords. After I did this I cloned the repo by using my username and the new app password as follows:

https://[your_user_name]:[app_password]@bitbucket.org/[your_user_name]/[repo_name].git
14
votes

This BitBucket page mentions:

We recently introduced OAuth 2 and also added the ability to use them as HTTP Basic Auth credentials.

Cloning a repository with an access token

Since add-ons will not be able to upload their own SSH keys to clone with, access tokens can be used as Basic HTTP Auth credentials to clone securely over HTTPS.

git clone https://x-token-auth:{access_token}@bitbucket.org/user/repo.git

The literal string x-token-auth as a substitute for username is required.

Our process is similar to GitHub, yet slightly different: the difference is GitHub puts the actual token in the username field.

See more at "OAuth on Bitbucket Cloud", as suggested in the comments by nick graziano.

12
votes

First of all: only OAuth 2 tokens can be used to clone repos

While unclear from this page, I've seen people try to use OAuth 1 access tokens. Unfortunately Git and Mercurial do not support OAuth 1 and so it is not possible to clone repos that way.

This is because OAuth 1 requires requests to be uniquely signed. The token itself is merely one of the input variables for the cryptographic signing process that git and hg do not support.

Now we did indeed recently add support for OAuth 2 which, despite its name, is a very different protocol and does not include cryptographic signing. As a result, OAuth 2 tokens can be used to clone over https.

Here's a dump of me creating a new OAuth 2 access/bearer token and using it to clone one of my private repos:

$ curl https://bitbucket.org/site/oauth2/access_token \
  -d grant_type=client_credentials \
  -u dqN7QFLwJEcHsHadYw:pzvZG25WEDqbm9aeUVRHtQRHgTRgDr9t
{
  "access_token": "He1rBW1eYAzmT3ePJcvYDtkIcF1Pb1izZHo8oqpKMEL5ivsku71qkjfumVgR2bWsCiRM7XeEmbVffxU92w==",
  "scopes": "repository email",
  "expires_in": 3600,
  "refresh_token": "pfcnxSpXNPAeTcYhcQ",
  "token_type": "bearer"
}
$ git clone "https://x-token-auth:JU5dAtlMD30BisLpDkIap7T18Ry9v6p0Xif4owkQUyen_rLx5_B3PjjeqhLhpde0ezR1wyGLeqYE2HA49A==@bitbucket.org/evzijst/crypt"
Cloning into 'crypt'...
remote: Counting objects: 26, done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 26 (delta 8), reused 0 (delta 0)
Unpacking objects: 100% (26/26), done.
Checking connectivity... done.

Now be aware that OAuth 2 tokens expire in an hour. After that they will cease to work. Depending on how you obtained the access token you may have a refresh token. You can use this refresh token to issue a new access token immediately before attempting to clone, to avoid expiration.

7
votes

To manipulate Bitbucket repository with token:

  1. First you create an "Oauth" in access management section of your bitbucket account setting. This gives you a "Key" and a "Secret". You have done this bit.

  2. Now using these Key and Secret you ask Bitbucket for a token. In my case I made a http request to https://bitbucket.org/site/oauth2/access_token. I could do it with Curl or some Ajax library like this: 

    curl -X POST -u "yourKeyHere:yourSecretHere"  https://bitbucket.org/site/oauth2/access_token -d  grant_type=client_credentials

    alternatively, my http request was like this (using superagent in node) with my Content-Type set to application/x-www-form-urlencoded you can use postman:

    request.post("https://yourKeyHere:[email protected]/site/oauth2/      access_token").send('grant_type=client_credentials');`

    the result is like this:

    {
   "access_token": "blah blah blah HXAhrfr8YeIqGTpkyFio=",
   "scopes": "pipeline snippet issue pullrequest project team account",
   "expires_in": 3600,
   "refresh_token": "hsadgsadvkQ",
   "token_type": "bearer"
}

  3. Now that you have the "access_token", clone a private repo with it. But the url to your repo should be like this (keep the bracket around token):

    https://x-token-auth:{tokenHere}@bitbucket.org/yourRepoOwnerHere/RepoNameHere.git
1
votes

I know this is a fairly old thread, but, just in case, I wrote my own credential store to manage bitbucket's token:

https://github.com/gildas/git-credential-bitbucket