This repository has been archived by the owner. It is now read-only.

we ask for too many perms on bitbucket #822

Closed
chadwhitacre opened this Issue Apr 5, 2013 · 32 comments

Comments

Projects
None yet
10 participants
@chadwhitacre
Contributor

chadwhitacre commented Apr 5, 2013

Reported in private email. We should ask for the minimum perms.

This is a Bitbucket limitation, and it does not appear they have any intention of changing this, according to official docs.

Bitbucket has rolled out OAuth 2.0, with a reasonable set of scopes.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@crimeminister

This comment has been minimized.

Show comment Hide comment
@crimeminister

crimeminister Apr 5, 2013

Thanks for addressing this!

Thanks for addressing this!

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Apr 14, 2013

Contributor

And it turns out it's a Bitbucket limitation:

That's not @gittip being stupid, that's us (bitbucket) not yet supporting narrow privileges on oauth.

https://twitter.com/erikvanzijst/status/323269226313965568

Contributor

chadwhitacre commented Apr 14, 2013

And it turns out it's a Bitbucket limitation:

That's not @gittip being stupid, that's us (bitbucket) not yet supporting narrow privileges on oauth.

https://twitter.com/erikvanzijst/status/323269226313965568

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Apr 24, 2013

Contributor

+1 from @dogmatic69 via Twitter.

Contributor

chadwhitacre commented Apr 24, 2013

+1 from @dogmatic69 via Twitter.

@bruceadams

This comment has been minimized.

Show comment Hide comment
@bruceadams

bruceadams May 18, 2013

Contributor

Issue #965 adds a +1 from @selenamarie and another +1 from @wilkie

Contributor

bruceadams commented May 18, 2013

Issue #965 adds a +1 from @selenamarie and another +1 from @wilkie

@tshepang

This comment has been minimized.

Show comment Hide comment
@tshepang

tshepang May 18, 2013

Contributor

Here's the Issue to watch: https://bitbucket.org/site/master/issue/3318.

Contributor

tshepang commented May 18, 2013

Here's the Issue to watch: https://bitbucket.org/site/master/issue/3318.

@bruceadams

This comment has been minimized.

Show comment Hide comment
@bruceadams

bruceadams May 18, 2013

Contributor

Thanks!

Contributor

bruceadams commented May 18, 2013

Thanks!

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre May 20, 2013

Contributor

Thanks @tshepang @bruceadams @selenamarie @wilkie. I've added a +1 over on the Bitbucket ticket.

Contributor

chadwhitacre commented May 20, 2013

Thanks @tshepang @bruceadams @selenamarie @wilkie. I've added a +1 over on the Bitbucket ticket.

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Jun 13, 2013

Contributor

+1 from @cmbeelby over on #639.

Contributor

chadwhitacre commented Jun 13, 2013

+1 from @cmbeelby over on #639.

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Jul 15, 2013

Contributor

+1 from @glarrain on Twitter.

Contributor

chadwhitacre commented Jul 15, 2013

+1 from @glarrain on Twitter.

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Sep 16, 2013

Contributor

Nothing we can do here.

Contributor

chadwhitacre commented Sep 16, 2013

Nothing we can do here.

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Sep 21, 2013

Contributor

+1 from @dustywilson on Google+.

Contributor

chadwhitacre commented Sep 21, 2013

+1 from @dustywilson on Google+.

@rummik

This comment has been minimized.

Show comment Hide comment
@rummik

rummik Sep 21, 2013

Contributor

Couldn't we say it's an issue on Bitbucket's end on the site?

Contributor

rummik commented Sep 21, 2013

Couldn't we say it's an issue on Bitbucket's end on the site?

@thiloplanz

This comment has been minimized.

Show comment Hide comment
@thiloplanz

thiloplanz Nov 1, 2013

Couldn't we say it's an issue on Bitbucket's end on the site?

It is. And if you want them to fix it, vote for https://bitbucket.org/site/master/issue/3318

Couldn't we say it's an issue on Bitbucket's end on the site?

It is. And if you want them to fix it, vote for https://bitbucket.org/site/master/issue/3318

@rummik

This comment has been minimized.

Show comment Hide comment
@rummik

rummik Nov 6, 2013

Contributor

@thiloplanz Well, yeah, but I mean we should put a notice on Gititp about it, saying we can't do anything about it until Bitbucket changes things.

Contributor

rummik commented Nov 6, 2013

@thiloplanz Well, yeah, but I mean we should put a notice on Gititp about it, saying we can't do anything about it until Bitbucket changes things.

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Dec 2, 2013

Contributor

Good call @rummik. Reopened and ticket title changed.

Contributor

chadwhitacre commented Dec 2, 2013

Good call @rummik. Reopened and ticket title changed.

@chadwhitacre chadwhitacre reopened this Dec 2, 2013

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Dec 2, 2013

Contributor

+1 from @hartym on Twitter.

Contributor

chadwhitacre commented Dec 2, 2013

+1 from @hartym on Twitter.

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Mar 4, 2014

Contributor

+1 from Lindsay.W.Mathieson on Facebook.

Contributor

chadwhitacre commented Mar 4, 2014

+1 from Lindsay.W.Mathieson on Facebook.

@techtonik

This comment has been minimized.

Show comment Hide comment
@techtonik

techtonik Apr 25, 2015

Contributor

+me =/

Contributor

techtonik commented Apr 25, 2015

+me =/

@techtonik

This comment has been minimized.

Show comment Hide comment
@techtonik

techtonik Apr 25, 2015

Contributor

badbucket

Contributor

techtonik commented Apr 25, 2015

badbucket

@chadwhitacre chadwhitacre removed the ★★☆ label Mar 4, 2016

@nobodxbodon

This comment has been minimized.

Show comment Hide comment
@nobodxbodon

nobodxbodon Jan 14, 2017

Contributor

https://bitbucket.org/site/master/issues/3318 resolved. Now seems better:
screen shot 2017-01-13 at 10 18 36 pm

Contributor

nobodxbodon commented Jan 14, 2017

https://bitbucket.org/site/master/issues/3318 resolved. Now seems better:
screen shot 2017-01-13 at 10 18 36 pm

@nobodxbodon

This comment has been minimized.

Show comment Hide comment
@nobodxbodon

nobodxbodon Jan 19, 2017

Contributor

Obviously I overlooked the fact that the permissions are over-broard, as I did some research after receiving another user feedback.

According to https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html, seems we only need Account permission? Shall we adjust this ASAP, as it seems to be a quick config change?

Contributor

nobodxbodon commented Jan 19, 2017

Obviously I overlooked the fact that the permissions are over-broard, as I did some research after receiving another user feedback.

According to https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html, seems we only need Account permission? Shall we adjust this ASAP, as it seems to be a quick config change?

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Jan 19, 2017

Contributor

Actually, it requires upgrading from their OAuth 1.0 implementation to their OAuth 2.0 implementation. Good to know they have that now! :-)

Contributor

chadwhitacre commented Jan 19, 2017

Actually, it requires upgrading from their OAuth 1.0 implementation to their OAuth 2.0 implementation. Good to know they have that now! :-)

@chadwhitacre chadwhitacre changed the title from warn people about bitbucket perms limitation to Upgrade to OAuth 2.0 for Bitbucket Jan 19, 2017

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Jan 19, 2017

Contributor

Obviously I overlooked the fact that the permissions are over-broard

No worries, so did I. 🎉 retracted! :)

Contributor

chadwhitacre commented Jan 19, 2017

Obviously I overlooked the fact that the permissions are over-broard

No worries, so did I. 🎉 retracted! :)

@nobodxbodon

This comment has been minimized.

Show comment Hide comment
@nobodxbodon

nobodxbodon Jan 19, 2017

Contributor

Based on the document, it seems not so complex but still some workload to setup OAuth 2.0 consumer? How about the workload on coding on our side? Anything I can help to work this out?

Contributor

nobodxbodon commented Jan 19, 2017

Based on the document, it seems not so complex but still some workload to setup OAuth 2.0 consumer? How about the workload on coding on our side? Anything I can help to work this out?

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Jan 20, 2017

Contributor

We do have an OAuth2 abstraction, which we use for other providers such as GitHub. Ideally this is an hour or two of work.

Contributor

chadwhitacre commented Jan 20, 2017

We do have an OAuth2 abstraction, which we use for other providers such as GitHub. Ideally this is an hour or two of work.

@nobodxbodon

This comment has been minimized.

Show comment Hide comment
@nobodxbodon

nobodxbodon Jan 20, 2017

Contributor

@whit537 could you give some pointers for any work that I could handle, without sharing your account/password? As it directly impacts user enrollment, IMO it's high priority.

Contributor

nobodxbodon commented Jan 20, 2017

@whit537 could you give some pointers for any work that I could handle, without sharing your account/password? As it directly impacts user enrollment, IMO it's high priority.

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Jan 21, 2017

Contributor

Check out gratipay/elsewhere/bitbucket.py for the implementation and gratipay/elsewhere/github.py for an OAuth2 example.

Contributor

chadwhitacre commented Jan 21, 2017

Check out gratipay/elsewhere/bitbucket.py for the implementation and gratipay/elsewhere/github.py for an OAuth2 example.

@Changaco

This comment has been minimized.

Show comment Hide comment
@Changaco

Changaco Jan 21, 2017

Contributor

There's no need to switch to OAuth2, permissions are configurable on Bitbucket. Here's what we ask for Liberapay:

spectacle h30368

And here's what I see when I try to connect a Bitbucket account:

spectacle m30399

Contributor

Changaco commented Jan 21, 2017

There's no need to switch to OAuth2, permissions are configurable on Bitbucket. Here's what we ask for Liberapay:

spectacle h30368

And here's what I see when I try to connect a Bitbucket account:

spectacle m30399

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Jan 21, 2017

Contributor

Nice! I've changed our settings. Care to retry, @maxkoryukov?

P.S. For the record, our Bitbucket app is under "Settings > Access Management > OAuth > OAuth consumers" for my personal Bitbucket account.

Contributor

chadwhitacre commented Jan 21, 2017

Nice! I've changed our settings. Care to retry, @maxkoryukov?

P.S. For the record, our Bitbucket app is under "Settings > Access Management > OAuth > OAuth consumers" for my personal Bitbucket account.

@maxkoryukov

This comment has been minimized.

Show comment Hide comment
@maxkoryukov

maxkoryukov Jan 22, 2017

@whit537 , works great!

I've connected BitBucket already;)

@whit537 , works great!

I've connected BitBucket already;)

@chadwhitacre chadwhitacre changed the title from Upgrade to OAuth 2.0 for Bitbucket to we ask for too many perms on bitbucket Jan 23, 2017

@chadwhitacre

This comment has been minimized.

Show comment Hide comment
@chadwhitacre

chadwhitacre Jan 23, 2017

Contributor

Nice! I've downgraded the scope of this ticket again and am closing it.

Contributor

chadwhitacre commented Jan 23, 2017

Nice! I've downgraded the scope of this ticket again and am closing it.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.