-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bitbucket auth broken #676
Comments
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗 |
If you install oauthenticator 15.1.0, do you end up with issues then as well? I'm trying to conclude if this is a regression in 16.0.0 that did a lot of refactoring or a bug that has been around since before. |
Using 15.1.0 I don't get an error until
|
EDIT: this comment is irrelevant, I looked at the wrong REST API, it should have been https://developer.atlassian.com/cloud/bitbucket/rest/api-group-workspaces/#api-workspaces-get. Looking at the request about teams, I see it documented here. Nowhere there is a mention of being able to pass a query parameter like
|
I didn't do a very thorough check about this, but I can't tell whats wrong. In the logs below, things seems to work out correctly with authentication, but the user is simply denied by not being authorized by being a member of a team etc.
Note that I think the team names may be case sensitive and such, I'm not sure if those names really should be used by this authenticator - the names must be unique and I'm not sure the teams are unique. What kind of name did you provide? The Below is a snippet from the REST API Docs describing the response to https://api.bitbucket.org/2.0/workspaces.
|
Interesting, I think I used the slug, which I guess could be why I got 403 here, will have to check again on my work PC tomorrow. I think the slug would have to be unique, as it's part of the URL and it's referred to as an ID, see https://support.atlassian.com/bitbucket-cloud/docs/change-a-workspace-id/ but the name seems to be more of a display name. Can test that tomorrow. There is actually a different flow in 15.1.0 compared to 16.0.5. In 15.1.0, it looks like if In 16.0.5, if the user authentication is ok then team membership is never checked as it returns the value of I had initially thought that the flow of 15.1.0 was how it would work, and team membership could be extra redundancy but being a required username OR in a team makes just as much sense. |
Yes, to confirm, I successfully logged in with 15.1.0 when I set the team name to display name, so 15.1.0 is working correctly. However, the name does not appear to be unique which suggests you should not use it in the authenticator. On my personal account, I was able to create a workspace with the same name as my work company workspace. I'm not sure if it matters or not, because the access token should be tied to the account which has the particular team and they would presumably not want to create multiple workspaces with the same display name. However, the slug is indeed part of the URL and I was not allowed to create a workspace with the same name, so I think that it would be reasonable to use that instead. I think using the slug is more intuitive anyway, but that might just be my preference. |
Okay so there is a clear security related bug with bitbucket oauthenticator about using a name that isn't unique. That should be fixed - its not acceptable. If the non-unique "display name" is used, anyone can proove membership to such display name and get authorized access to your jupyterhub. Besides that, is there another bug when using oauthenticator 16.0.x about making requests to check membership of workspaces etc? |
Yes, in 16.0.x requests to both /2.0/user /2.0/workspaces gets an empty response with 401 code with default setup. Workaround for both is to putting the access token in the URL, which can be done by env variable for /2.0/user but needed a subclass for /2.0/workspace |
Okay so we have two bugs to fix:
With regards to the securit bug, the fix is to switch to With regards to the functional bug, I'm not sure, but I don't want us to pass the access token in a query parameter. Also, this isn't recommended by bitbucket themselves who sais they prefer the header option. Since they suggest they should support passing info in the header, and since 15.1.0 also passes it via the header, I don't understand what has broken in 16.0.x compared to 15.1.0. If you can figure out whats wrong and patch it while still using a header in the GET request, that would be great and a PR I'd see myself merging with a calm mind. |
I think the key debugging of relevance could be to understand how these requests are made in 15.1.0 vs 16.0.x, both go to the same URL, and in my understanding both were using the same headers etc - so whats the difference? Is the requests different? |
I will have a look at the details later on. The difference I see is that in 15.1.0, the headers hardcodes Bearer in Another thing to think about is what I said about the different flow between 15.1 and 16.0, that the team membership is not checked if the user is in the list of allowed users. If it is deliberate, I think that should be documented more specifically that if set a user may be an allowed user OR a member of a team/workspace. |
I think maybe it already is documented to some degree at least, I tried documenting this in the 16.0.0 changelog at least as a breaking change. |
It appears that bitbucket returns |
The RFC says it should be |
@manics apparently it should be case-insentivite anyhow, see the comment in https://jira.atlassian.com/browse/BCLOUD-14135?focusedCommentId=3315945&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-3315945 |
Anyhow, they won't fix it, so, we should make it exactly |
A third UX bug is that its called And, we don't configure BitBucketOAuthenticator's default scope to something that makes things work out of the box either... |
I agree. Is there a case where the type isn't bearer for BitBucket? If not I'd program defensively and throw an exception if |
Bug description
I think this might be a bug in Bitbucket rather than OAuthenticator, but I'm not sure, and it may be specific to my setup. The requests to get user information and workspace permissions get a 401 response, handled as a 500 in Jupyterhub when using BitbucketOAuthenticator.
This appears to be a problem with the way the
Authorization
header is being sent/handled, because including the token in the querystring appears to work. SettingOAUTH2_USERDATA_REQUEST_TYPE=url
in the environment makes it work fortoken_to_user
but_fetch_user_teams
still breaksExpected behaviour
Setting
Authorization
header should successfully authenticate with bitbucket cloudActual behaviour
401 status returned
How to reproduce
Your personal set up
jupyterhub 4.0.2
oauthenticator 16.0.5
Workaround
Currently I have setup
OAUTH2_USERDATA_REQUEST_TYPE=url
in the environment to authenticate on the user API, and am subclassing the_fetch_user_teams
method as below to restrict the workspace.I feel it might be better solved by putting
userdata_token_method
intohttpfetch
if appropriate and in subclasses settingself.userdata_token_method = url
in the bitbucket class.The text was updated successfully, but these errors were encountered: