Cannot use group authentication for BitBucket Cloud

[cyberox]

Summary

We can no longer login using group based authentication. The user authentication is working.

Steps to reproduce

roles:
- name: owner
  local:
    users: ["admin"]
- name: member
  bitbucket-cloud:
    users: ["cyberox"]
    teams: ["developers"]

Expected results

I can login, and see the pipelines, using a member in the developers group.

Actual results

The user cyberox can see the correct pipelines, the users in the developers group cannot.

Additional context

The /teams endopoint has been deprecated, and is fixed upstreamm by: dexidp/dex#1812
According to the documentation, it requires a new config parameter includeTeamGroups: true (https://dexidp.io/docs/connectors/bitbucketcloud/)

Triaging info

• Concourse version: 6.7.3
• Did this used to work? Yes

[cyberox]

After a developer login, I can see that the group only contains the org name and no teams name:

{"timestamp":"2021-01-13T08:28:43.267880212Z","level":"info","source":"atc","message":"atc.dex.event","data":{"fields":{},"message":"login successful: connector \"bitbucket-cloud\", username=\"cyberox\", preferred_username=\"\", email=\"cyberox@private-email.com\", groups=[\"orgname\"]","session":"15"}}

[aoldershaw]

Thanks for the report and investigation. Seems like the fix is just to add includeTeamGroups: true to the bitbucket connector config as you note:

concourse/skymarshal/skycmd/bitbucketcloud_flags.go

Lines 47 to 50 in df62ba0

	return json.Marshal(bitbucketcloud.Config{
	ClientID: flag.ClientID,
	ClientSecret: flag.ClientSecret,
	RedirectURI: redirectURI,

[ringods]

@aoldershaw thanks for the feedback. Do you have an estimate when a fix to this could make it in a new Concourse release?

We are in the process of setting up a new Concourse for a team of +100 people and having to configure them by name is quite cumbersome.

[aoldershaw]

@ringods not sure exactly when, but ASAP - the team will discuss later today. Users have run into a bunch of auth issues in 6.7.3 as a result of bumping upstream dex to patch a CVE.

I opened a PR that adds the includeTeamGroups: true, but we don't actually have a bitbucket cloud account to verify this fixes this issue, so haven't manually tested it yet. Will see about setting one up now

[aoldershaw]

Update: have set up an account, a workspace, and some groups within the workspace (was surprisingly easy!), and verified that the PR fixes the issue. The only thing I'm a bit confused about is how it worked in 6.7.2 and earlier, given that it should have been trying to use the deprecated /teams endpoint, which has been removed as of October 14, 2020 (https://developer.atlassian.com/cloud/bitbucket/bitbucket-api-teams-deprecation/) - I would've thought Bitbucket auth would be entirely broken.

[ringods]

Probably, we were only the first ones to report this. This is a new setup, so no Concourse or Bitbucket Cloud before.

[cyberox]

The bitbucket cloud user authentication always kept working. The teams authentication is broken since at least versin 6.7.0 or earlier. (6.7.0 was the first version I tried with BitBucket Cloud)

[aoldershaw]

Ah okay, thanks for the info!

The teams authentication is broken since at least versin 6.7.0 or earlier. (6.7.0 was the first version I tried with BitBucket Cloud)

Makes sense, that would be the first version released after the /teams endpoint was removed