Skip to content

feat(bitbucket): add API token authentication support and deprecate A… #8604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(bitbucket): add API token authentication support and deprecate A… #8604

wants to merge 2 commits into from

Conversation

spenpal
Copy link

@spenpal spenpal commented Oct 6, 2025
edited
Loading

Bitbucket API Token Authentication Support

Summary

This PR adds support for Bitbucket API tokens as an authentication method for the Bitbucket plugin, in response to Atlassian's deprecation timeline for App passwords (creation discontinued September 9, 2025; all deactivated June 9, 2026).

Key Changes:

  • Backend: Added UsesApiToken boolean field to track authentication type (both use HTTP Basic Auth with username:credential format)
  • Frontend: Custom authentication component with radio selection between "API Token (Recommended)" and "App Password (Deprecated)"
  • Migration: Automatic backward compatibility for existing App password connections (usesApiToken = false by default)
  • UX: Deprecation warnings in UI and logs, dynamic username guidance (email for API tokens vs. username for App passwords)
  • Documentation: Updated onboarding guide with API token creation instructions and required scopes

Authentication Details:

  • Both methods use HTTP Basic Auth (NOT Bearer tokens)
  • API tokens require Atlassian account email as username
  • App passwords require Bitbucket username
  • Default for new connections: API Token

Testing:

  • 26 unit tests added (13 model, 11 API, 2 migration)
  • All tests passing
  • Backward compatible with existing connections

Does this close any open issues?

Closes #8520

Screenshots

Onboarding Connection Form (API Token - Default)
image

  • Shows deprecation message on the side, warning users about the June 9, 2026 deactivation date.

New Connection Form (From Config-UI)
image

Other Information

Migration Path

  • Existing users: Connections continue working with App passwords; deprecation warnings guide migration to API tokens
  • New users: Default to API tokens (recommended method)
  • Zero breaking changes: All existing connections preserved

Required API Token Scopes

  • read:account - Required to view users profiles
  • read:issue:bitbucket - View your issues
  • read:pipeline:bitbucket - View your pipelines
  • read:project:bitbucket - View your projects
  • read:pullrequest:bitbucket - View your pull requests
  • read:repository:bitbucket - View your repositories
  • read:runner:bitbucket - View your workspaces/repositories' runners
  • read:user:bitbucket - View user info (required for connection test)
  • read:workspace:bitbucket - View your workspaces
screencapture-id-atlassian-manage-profile-security-api-tokens-2025-10-06-11_13_53

spenpal added 2 commits October 6, 2025 02:41
@spenpal
feat(bitbucket): add API token authentication support and deprecate A…
4b4a6f4 
…pp passwords

- Updated Bitbucket connection model to include `UsesApiToken` field for API token support.
- Modified connection handling in the Bitbucket API to use API tokens.
- Added migration script to update existing connections for backward compatibility.
- Updated UI to reflect changes in authentication method and provide guidance on API token usage.
- Updated documentation to inform users about the deprecation of App passwords.
@spenpal
test(bitbucket): add unit tests for API token authentication and conn…
00827f0 
…ection handling

- Introduced tests for Bitbucket connection API, validating API token and app password authentication methods.
- Added tests for connection sanitization to ensure sensitive data is handled correctly.
- Implemented tests for connection status code handling and deprecation warnings for app passwords.
- Enhanced coverage for connection merging logic and authentication setup.

Addresses apache#8520
@dosubot dosubot bot added size:XXL This PR changes 1000+ lines, ignoring generated files. component/plugins This issue or PR relates to plugins needs-cherrypick-v1.0 pr-type/feature-development This PR is to develop a new feature labels Oct 6, 2025
@spenpal spenpal mentioned this pull request Oct 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

component/plugins This issue or PR relates to plugins needs-cherrypick-v1.0 pr-type/feature-development This PR is to develop a new feature size:XXL This PR changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Refactor][Bitbucket] Support Bitbucket API tokens in place of App passwords

1 participant

@spenpal