Add Bitbucket Cloud OAuth login for crates.io#3944
Add Bitbucket Cloud OAuth login for crates.io#3944quinnjr wants to merge 2 commits intorust-lang:masterfrom
Conversation
crates.io has required a GitHub account since 2014. This RFC proposes adding Bitbucket Cloud as a second OAuth provider, building on the oauth_github table introduced in January 2026 as a stepping stone toward multi-provider auth. The design introduces a provider-agnostic OAuthProvider trait, handles Bitbucket's 2-hour token expiry via refresh token rotation, and maps Bitbucket workspaces/user groups to the existing team ownership model.
The placeholder #0000 link now points to the actual PR.
|
I'm happy to contribute implementation work to rust-lang/crates.io to get this off the ground. I'm available to join the weekly crates.io team meeting to discuss scope and approach, and can start with incremental PRs — e.g., extracting the provider abstraction trait from the existing GitHub-specific code before adding Bitbucket as a second provider. |
ehuss
added
the
T-crates-io
|
Hi! Please see rust-lang/crates.io#10611 to get up to speed on the current status of the work that needs to be done before this RFC can be considered, and join https://rust-lang.zulipchat.com/#narrow/channel/318791-t-crates-io/topic/RFC.20.233944.20-.20Add.20Bitbucket.20Cloud.20OAuth.20login.20for.20crates.2Eio/with/583691924 to discuss what you'd like to help with exactly. |
|
@carols10cents I'm currently at a company meeting for a few days and will look at the other RFC when I return. |
3 participants
Summary
This RFC proposes adding Bitbucket Cloud as an OAuth 2.0 login provider for crates.io, allowing users who host their Rust projects on Bitbucket to authenticate and publish crates without requiring a GitHub account.
Motivation
crates.io has required a GitHub account since 2014 (crates.io#326, open since 2015). This creates a single point of failure for identity, excludes enterprise teams on Atlassian tooling, and leaks private org membership via the
read:orgscope (crates.io#3027).Key design decisions
OAuthProvidertrait that both GitHub and Bitbucket implement. This makes future providers (GitLab, generic OIDC) straightforward to add.oauth_githubtable (January 2026) was explicitly created as a stepping stone toward multi-provider auth. This RFC extends that pattern with anoauth_bitbuckettable.TokenManagerwith just-in-time refresh and encrypted refresh token storage to handle this transparently.provider:org:teamlogin format thatTeam::split_login()already parses.Rendered
text/0000-crates-io-bitbucket-oauth.md
Rendered