Bitbucket now supports OAuth2 and fine-grained scopes for resources

By on July 30, 2015

Bitbucket just added different levels of access to its APIs, enabling add-on and integration developers to request read, write, or admin access to repos, issues, wikis, and snippets. For Bitbucket users this means that add-ons and integrations now only get the level of access they actually need.

More details can be found in Bitbucket documentation.

Why OAuth2?

Our previous OAuth1 implementation provided only all-or-nothing access to resources. As a developer building integrations or add-ons, you had less control. Additionally, some operations that were not possible via OAuth 1, such as cloning, are now possible via OAuth2, enabling a new set of add-on and integration functionalities.

How do I use OAuth2?

OAuth2 is available within webhooks, REST APIs, and Atlassian Connect for Bitbucket. When you register your application (add-on or integration) with Bitbucket you become an “OAuth consumer”. OAuth 1 consumers that have been previously instantiated have been grandfathered into all-access. However, all new consumers will now need to specify the scopes requested, with a much more granular set of scopes available now for both OAuth options.

How does it impact me if I am a Bitbucket user?

You have complete control and visibility over what levels of access are granted to resources and repositories when you plan to use a certain integration or add-on. You may choose to grant access via a page similar to the one shown below:

Screen Shot 2015-07-29 at 9.51.15 AM

You can also revoke access easily via “OAuth” under “Access Management” on your Settings page as shown below:

Screen Shot 2015-07-28 at 3.36.33 PM

Please upgrade to OAuth2

We encourage all developers of Bitbucket integrations and add-ons to upgrade the authentication mechanism they’re using to scopes and OAuth2 wherever possible.

Happy coding!

One Comment

  • shrimpy
    Posted August 6, 2015 at 4:10 pm | Permalink

    In document, access token will be expired in an hour. How about refresh token?