Access Tokens no longer work as expected after upgrading Bitbucket Data Center
プラットフォームについて: Data Center - この記事は、Data Center プラットフォームのアトラシアン製品に適用されます。
このナレッジベース記事は製品の Data Center バージョン用に作成されています。Data Center 固有ではない機能の Data Center ナレッジベースは、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
After upgrading Bitbucket Data Center from 8.9.21, 8.19.11, 9.3.1, or older to 8.9.22, 8.19.12, 9.3.2 or newer, access tokens no longer work as expected. For instance, requests sent using tokens might result in these requests being redirected to the login page, or the request may result in an 401 Unauthorized response, potentially leading to accounts being blocked and requiring a captcha to be cleared.
環境
- Bitbucket Data Center 8.9.22, 8.19.12, 9.3.2 or newer
- The path of the request URL does not start with
/restor/scm
診断
When sending an HTTP request (for instance programmatically or using curl or wget) to a Bitbucket Data Center URL that is not handled by the REST API or SCM operations (i.e. the path of the URL does not start with /rest or /scm) and providing an access token as a credential for the request, the response from Bitbucket Data Center is unexpected:
- If the access token is provided in the
Authorizationheader, the response carries the302 Foundstatus code and has aLocationheader that contains the URL to the login page of Bitbucket Data Center. - If Basic authentication is used and the access token is provided instead of the user's password, the response carries the
401 Unauthorizedstatus code. Sending such requests repeatedly can lead to the account used being locked and requiring a captcha to be cleared.
原因
This is the expected behaviour starting with Bitbucket Data Center 8.9.22, 8.19.12 and 9.3.2. In order to address a security vulnerability, access tokens can now only be used for requests to REST API endpoints and for SCM operations, i.e. they can only be used for requests to URLs whose path begins with /rest or /scm. Note: if you are using Bitbucket Data Center with a context root, that context root is prefixed, so access tokens can only be used for requests to URLs whose path begins with /<context root>/rest or /<context root>/scm.
ソリューション
As a workaround, refer to the Bitbucket Data Center REST API reference to see if there is a REST API endpoint available and use that instead. Otherwise, if you cannot use the REST API and wish to continue sending requests as before, use Basic authentication with a password instead of access tokens.