How to manipulate Bitbucket repository with token?
Solution 1
This BitBucket page mentions:
We recently introduced OAuth 2 and also added the ability to use them as HTTP Basic Auth credentials.
Cloning a repository with an access token
Since add-ons will not be able to upload their own SSH keys to clone with, access tokens can be used as Basic HTTP Auth credentials to clone securely over HTTPS.
git clone https://x-token-auth:{access_token}@bitbucket.org/user/repo.git
The literal string
x-token-auth
as a substitute for username is required.Our process is similar to GitHub, yet slightly different: the difference is GitHub puts the actual token in the username field.
See more at "OAuth on Bitbucket Cloud", as suggested in the comments by nick graziano.
Solution 2
I used an App password which I created from the Bitbucket Cpanel under Settings -> Access management (sidebar) -> App Passwords. After I did this I cloned the repo by using my username and the new app password as follows:
https://[your_user_name]:[app_password]@bitbucket.org/[your_user_name]/[repo_name].git
Solution 3
First of all: only OAuth 2 tokens can be used to clone repos
While unclear from this page, I've seen people try to use OAuth 1 access tokens. Unfortunately Git and Mercurial do not support OAuth 1 and so it is not possible to clone repos that way.
This is because OAuth 1 requires requests to be uniquely signed. The token itself is merely one of the input variables for the cryptographic signing process that git and hg do not support.
Now we did indeed recently add support for OAuth 2 which, despite its name, is a very different protocol and does not include cryptographic signing. As a result, OAuth 2 tokens can be used to clone over https.
Here's a dump of me creating a new OAuth 2 access/bearer token and using it to clone one of my private repos:
$ curl https://bitbucket.org/site/oauth2/access_token \
-d grant_type=client_credentials \
-u dqN7QFLwJEcHsHadYw:pzvZG25WEDqbm9aeUVRHtQRHgTRgDr9t
{
"access_token": "He1rBW1eYAzmT3ePJcvYDtkIcF1Pb1izZHo8oqpKMEL5ivsku71qkjfumVgR2bWsCiRM7XeEmbVffxU92w==",
"scopes": "repository email",
"expires_in": 3600,
"refresh_token": "pfcnxSpXNPAeTcYhcQ",
"token_type": "bearer"
}
$ git clone "https://x-token-auth:JU5dAtlMD30BisLpDkIap7T18Ry9v6p0Xif4owkQUyen_rLx5_B3PjjeqhLhpde0ezR1wyGLeqYE2HA49A==@bitbucket.org/evzijst/crypt"
Cloning into 'crypt'...
remote: Counting objects: 26, done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 26 (delta 8), reused 0 (delta 0)
Unpacking objects: 100% (26/26), done.
Checking connectivity... done.
Now be aware that OAuth 2 tokens expire in an hour. After that they will cease to work. Depending on how you obtained the access token you may have a refresh token. You can use this refresh token to issue a new access token immediately before attempting to clone, to avoid expiration.
Solution 4
To manipulate Bitbucket repository with token:
First you create an "Oauth" in access management section of your bitbucket account setting. This gives you a "Key" and a "Secret". You have done this bit.
-
Now using these Key and Secret you ask Bitbucket for a token. In my case I made a http request to
https://bitbucket.org/site/oauth2/access_token
. I could do it with Curl or some Ajax library like this:curl -X POST -u "yourKeyHere:yourSecretHere" https://bitbucket.org/site/oauth2/access_token -d grant_type=client_credentials
alternatively, my http request was like this (using superagent in node) with my
Content-Type
set toapplication/x-www-form-urlencoded
you can use postman:request.post("https://yourKeyHere:[email protected]/site/oauth2/ access_token").send('grant_type=client_credentials');`
the result is like this:
{ "access_token": "blah blah blah HXAhrfr8YeIqGTpkyFio=", "scopes": "pipeline snippet issue pullrequest project team account", "expires_in": 3600, "refresh_token": "hsadgsadvkQ", "token_type": "bearer" }
-
Now that you have the "access_token", clone a private repo with it. But the url to your repo should be like this (keep the bracket around token):
https://x-token-auth:{tokenHere}@bitbucket.org/yourRepoOwnerHere/RepoNameHere.git
Solution 5
I know this is a fairly old thread, but, just in case, I wrote my own credential store to manage bitbucket's token:
Related videos on Youtube
Gábor Domonkos
Updated on April 21, 2020Comments
-
Gábor Domonkos about 4 years
I followed this documentation to get a token value and a token secret from bitbucket:
https://confluence.atlassian.com/display/BITBUCKET/OAuth+on+BitbucketAfter that I want to push/pull to a given repo by using that token.
At Github I can use the token like this way: https://help.github.com/articles/git-automation-with-oauth-tokens#step-2-clone-a-repository
My question is how can I use this kind of http authorization at bitbucket (mercurial/git)?
-
VonC almost 9 yearsSince June 2015, this seems officially supported. I have edited my answer below accordingly.
-
-
Chris almost 9 yearsDo you know if Bitbucket has any plans to make non-expiring auth tokens? If I'm not mistaken, your remote repository URL will become invalid when your token expires, meaning you won't be able to perform any actions on the remote until you refresh for a new access token and update the url with that new access token. That's quite a nuisance for either the user or the developer of a GIT client to maintain on an hourly basis. Even if the GIT client handles everything properly, the repository will unusable in any other GIT clients the user uses after that hour passes.
-
Erik van Zijst over 8 yearsYes, we're currently adding non-expiring API tokens, which might be named "App Passwords" by the time we announce them (naming is still being discussed).
-
nazikus over 8 yearsIs it possible to obtain access token without callback url? I receive invalid url "No callback uri defined for the OAuth client" when using your example with curl request.
-
mariowise over 8 yearsHere is everything in a single command line
git clone "https://x-token-auth:$(curl -X POST -u "[CONSUMER_KEY]:[CONSUMER_SECRET]" https://bitbucket.org/site/oauth2/access_token -d grant_type=client_credentials | grep -Po '(?<="access_token": ")[^"]*')@bitbucket.org/[USER_OR_COMPANY]/[REPO_NAME].git"
-
Nicolás Ozimica over 7 yearsHere is a one-liner for
tcsh
:git clone https://x-token-auth:`curl -X POST -u "[CONSUMER_KEY]:[CONSUMER_SECRET]" https://bitbucket.org/site/oauth2/access_token -d grant_type=client_credentials | grep -Po '(?<="access_token": ")[^"]*'`@bitbucket.org/[USER]/[REPO]
-
Sunil Sharma about 7 yearsAbove description is false.
-
Vahid PG about 7 years@SunilSharma really? Which bit of it? I've been using it.
-
Sunil Sharma about 7 years`request.post("yourKeyHere:[email protected]/site/oauth2 access_token").send('grant_type=client_credentials');`` not working
-
Bruce Sun about 7 years@nazikus Just add callback url in your oauth consumer settings and try again, it won't really take you to that url when you request an access token.
-
Bruce Sun about 7 years@ErikvanZijst Hi! Is your method documented in bitubcket official documentation?
-
Rohan Nicholls almost 7 yearsThe docs seem to have this wrong with the x-token-auth in place of the user name, as it does not work for me, but the link @Psymatix left above, works.
-
Rohan Nicholls almost 7 yearsThe second [your_user_name] could be the name of the user/group that is the owner of the repo. So, if you are bubba, and the repo is owned by shrimpingcorp, the url would look like:
https://bubba:[app_password]@bitbucket.org/shrimpingcorp/[repo_name].git
-
oyelaking over 6 yearsWhat of git pulling? How does one perform a git pull later?
-
Randy L almost 6 yearsAs of today I get an error message like "If you log in via a third party service you must ensure you have an account password set in your account profile." when I try to simply
git clone https://x-token-auth:{tokenHere}@bitbucket.org/yourRepoOwnerHere/RepoNameHere.git
. Hoping this works with plain-old API endpoints in their v2 API. -
Randy L almost 6 yearsI took off the .git and put double quotes around the whole URL and bingo!
-
SacWebDeveloper almost 6 yearsNow if we could just get JWT tokens!
-
Arto Bendiken about 5 years@ErikvanZijst Four years later, whatever became of the non-expiring API access tokens?
-
Erik van Zijst about 5 years@ArtoBendiken they were released years ago: confluence.atlassian.com/bitbucket/app-passwords-828781300.html