Bitbucket OAuth Plugin v0.16 broken by CHANGE-3052: access token sent via query parameter instead of Authorization header

ExportXMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Blocker
    • Component/s: bitbucket-oauth-plugin
    • None
    • Environment:
      PRODUCTION

      The Bitbucket OAuth Plugin sends the OAuth2 access token as an access_token query string parameter instead of using the Authorization: Bearer header. This is because the plugin uses Scribe 1.3.3, whose OAuth20ServiceImpl.signRequest() method defaults to request.addQuerystringParameter(OAuthConstants.ACCESS_TOKEN, accessToken.getToken()), and the plugin's BitbucketOAuth20Service inner class in BitbucketApiV2.java does not override signRequest().
      Bitbucket Cloud has announced CHANGE-3052, which deprecates passing OAuth access tokens via query parameters or POST body. Brownouts began April 20, 2026, and full enforcement is May 4, 2026, after which this plugin will be permanently broken.

      Affected Code
      File: src/main/java/org/jenkinsci/plugins/api/BitbucketApiV2.java
      The inner class BitbucketOAuth20Service (line 43) extends OAuth20ServiceImpl but does not override signRequest(). The inherited implementation sends the token as a query parameter:

      // Inherited from org.scribe.oauth.OAuth20ServiceImpl (Scribe 1.3.3)
      public void signRequest(Token accessToken, OAuthRequest request)

      { request.addQuerystringParameter(OAuthConstants.ACCESS_TOKEN, accessToken.getToken()); }

      This causes all API calls in BitbucketApiService.java (lines 68 and 85) to send requests like:

      GET https://api.bitbucket.org/2.0/user?access_token=XXXXX
      GET https://api.bitbucket.org/2.0/user/workspaces?access_token=XXXXX
      Instead of:

      GET https://api.bitbucket.org/2.0/user
      Authorization: Bearer XXXXX

      Reproduction steps

      1. Install Jenkins v2.516.3 (or any recent version)
      2. Install Bitbucket OAuth Plugin v0.16
      3. Configure Bitbucket OAuth Plugin with a valid Bitbucket OAuth consumer (Client ID and Client Secret)
      4. Configure Jenkins to use "Bitbucket OAuth Plugin" as the Security Realm
      5. Log out of Jenkins
      6. Attempt to log in via Bitbucket OAuth during a CHANGE-3052 brownout window (see schedule below) or after May 4, 2026
        CHANGE-3052 Brownout Schedule (UTC)

      Date
      Duration
      Windows (UTC)
      Apr 20-21, 2026
      15 min
      00:00, 06:00, 12:00, 18:00
      Apr 22-23, 2026
      30 min
      00:00, 06:00, 12:00, 18:00
      Apr 24-25, 2026
      1 hour
      00:00, 06:00, 12:00, 18:00
      Apr 26-27, 2026
      2 hours
      00:00, 06:00, 12:00, 18:00
      Apr 28-May 3, 2026
      TBD (increasing)
      Multiple
      May 4, 2026
      Permanent
      Full enforcement

      Expected Results

      • User is successfully authenticated via Bitbucket OAuth
      • User is redirected back to Jenkins and logged in
      • Workspace roles are correctly assigned

      Actual Results

      • After Bitbucket redirects back to Jenkins (/securityRealm/finishLogin?code=...), the plugin attempts to call Bitbucket API endpoints with the access token in the query string
      • Bitbucket returns HTTP 401 during brownout windows (and permanently after May 4, 2026)
      • Jenkins displays: "Oops! A problem occurred while processing the request" with a Logging ID
      • Users are completely unable to log in to Jenkins

        1. bitbucket-oauth.zip
          621 kB

            Assignee:
            Unassigned
            Reporter:
            Suhas
            Votes:
            3 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: