feat(web): add Bitbucket Server (Data Center) SSO identity provider

[brendan-kellam]

Summary

• Adds bitbucket-server as a new OAuth 2.0 SSO identity provider for self-hosted Bitbucket Server / Data Center instances
• Implements a custom provider with a two-step userinfo fetch (whoami → user profile) since there is no built-in Auth.js provider
• Adds documentation under the External Identity Providers page

Details

The provider uses Bitbucket Server's OAuth 2.0 endpoints:

• Authorize: {baseUrl}/rest/oauth2/latest/authorize
• Token: {baseUrl}/rest/oauth2/latest/token (with client_secret_post auth method)
• User info: GET {baseUrl}/plugins/servlet/applinks/whoami → username → GET {baseUrl}/rest/api/1.0/users/{username}

Test plan

• Register an OAuth 2.0 incoming application link in Bitbucket Server admin with callback URL <sourcebot_url>/api/auth/callback/bitbucket-server
• Add the identity provider config to config.yaml with valid credentials
• Verify the "Bitbucket Server" sign-in button appears on the login page
• Complete the OAuth flow and verify user name/email are correctly populated
• Verify providerAccountId in the database is set to the numeric Bitbucket user ID (not the username)

🤖 Generated with Claude Code

Mintlify

0 threads from 0 users in Mintlify

• No unresolved comments

Summary by CodeRabbit

• New Features

  • Added support for Bitbucket Server (Data Center) as an OAuth 2.0 SSO identity provider, including configurable client credentials and base URL, and updated config validation to accept this provider.

• Documentation

  • Added comprehensive setup docs and examples for registering OAuth apps, environment/secret configuration, and identity provider config for Bitbucket Server.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 764147f and 0cc09c1.

📒 Files selected for processing (2)

• CHANGELOG.md
• packages/web/src/ee/features/sso/sso.ts

---

Walkthrough

Adds Bitbucket Server (Data Center) OAuth 2.0 SSO support by introducing a new provider type bitbucket-server across schemas, types, docs, SSO wiring, and provider utilities. (New schema, types, docs, SSO factory, provider registration, and UI provider info.)

Changes

Cohort / File(s)	Summary
Changelog & Docs CHANGELOG.md, docs/docs/configuration/idp.mdx, docs/snippets/schemas/v3/identityProvider.schema.mdx, docs/snippets/schemas/v3/index.schema.mdx	Added changelog entry and documentation for Bitbucket Server SSO; included registration steps, env var guidance, and example identity provider config.
JSON Schema schemas/v3/identityProvider.json	Added BitbucketServerIdentityProviderConfig definition and added it to the identityProviders oneOf union.
Schema TS (runtime schemas) packages/schemas/src/v3/identityProvider.schema.ts, packages/schemas/src/v3/index.schema.ts	Introduced BitbucketServerIdentityProviderConfig schema (provider "bitbucket-server", purpose "sso", clientId/clientSecret as env or googleCloudSecret, required baseUrl) and added to oneOf alternatives.
Type Definitions packages/schemas/src/v3/identityProvider.type.ts, packages/schemas/src/v3/index.type.ts	Added BitbucketServerIdentityProviderConfig interface and expanded the IdentityProviderConfig union to include it.
SSO Implementation packages/web/src/ee/features/sso/sso.ts	Registered bitbucket-server provider, added createBitbucketServerProvider factory implementing OAuth token exchange, userinfo fetch, and profile mapping; integrated into EE provider wiring.
Provider Utilities packages/web/src/lib/utils.ts	Added bitbucket-server case to getAuthProviderInfo returning id, name, displayName, and icon.

Sequence Diagram(s)

sequenceDiagram
  participant User as User
  participant App as Sourcebot App
  participant Auth as Bitbucket Server (Auth)
  participant API as Bitbucket Server (API)

  User->>App: Click "Sign in with Bitbucket Server"
  App->>Auth: Redirect to authorization endpoint (client_id, redirect_uri, scope, state)
  Auth->>User: Prompt for consent
  User->>Auth: Grant access
  Auth-->>App: Redirect back with code
  App->>Auth: POST token exchange (code, client_secret)
  Auth-->>App: Return access_token / refresh_token
  App->>API: GET userinfo using access_token
  API-->>App: Return user profile
  App->>App: Map profile to identity, create session
  App-->>User: Redirect to application (authenticated)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(web): add Bitbucket Server (Data Center) SSO identity provider #934: Directly related — implements the same Bitbucket Server SSO provider schema, types, docs, and SSO wiring.
• feat: add Bitbucket Cloud OAuth identity provider #924: Adds Bitbucket Cloud identity provider using similar schema/types and SSO wiring patterns — useful for comparison.
• feat(web): Add support for authentik sso #627: Prior SSO provider addition that touched similar schema and wiring areas.

Suggested reviewers

• msukkari

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: adding Bitbucket Server (Data Center) SSO identity provider support, which aligns with the comprehensive implementation across schemas, types, and the web SSO layer.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch brendan/bitbucket-server-sso

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

packages/schemas/src/v3/identityProvider.schema.ts (1)

914-921: Generated schema reflects the same baseUrl format gap.

This is the same issue already noted in the JSON schema source; fix there and regenerate to keep artifacts aligned.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/schemas/src/v3/identityProvider.schema.ts` around lines 914 - 921,
The generated schema's "baseUrl" property uses an incorrect/overly permissive
regex in identityProvider.schema.ts; update the source JSON schema (the original
schema definition that defines the "baseUrl" property's "pattern") to the
correct URL pattern (fix the pattern value for the "baseUrl" property) and then
regenerate the TypeScript artifacts so identityProvider.schema.ts is regenerated
with the corrected "baseUrl" pattern.

🧹 Nitpick comments (2)

schemas/v3/identityProvider.json (1)

235-240: Add format validation to baseUrl for schema consistency.

Line 235 defines baseUrl without a format, while other URL-based provider fields in this schema include one. Adding it improves consistency and tooling validation.

♻️ Suggested schema tweak

                 "baseUrl": {
                     "type": "string",
+                    "format": "url",
                     "description": "The URL of the Bitbucket Server/Data Center host.",
                     "examples": ["https://bitbucket.example.com"],
                     "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
                 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@schemas/v3/identityProvider.json` around lines 235 - 240, The baseUrl
property in the identityProvider schema is missing a format and should include
one for consistency with other URL fields; update the "baseUrl" JSON schema
entry (the property named "baseUrl") to add "format": "uri" alongside the
existing "type", "description", "examples", and "pattern" so tooling/validators
recognize it as a URL while preserving the existing pattern.

docs/snippets/schemas/v3/index.schema.mdx (1)

5455-5462: Add format: "url" to baseUrl for schema consistency.

Line 5456 and Line 6383 define URL fields without format: "url", unlike other host URL fields in this schema. Pattern validation exists, but adding format improves consistency and editor/schema tooling support.

Suggested diff

               "baseUrl": {
                 "type": "string",
+                "format": "url",
                 "description": "The URL of the Bitbucket Server/Data Center host.",
                 "examples": [
                   "https://bitbucket.example.com"
                 ],
                 "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
               }

               "baseUrl": {
                 "type": "string",
+                "format": "url",
                 "description": "The URL of the Bitbucket Server/Data Center host.",
                 "examples": [
                   "https://bitbucket.example.com"
                 ],
                 "pattern": "^https?:\\/\\/[^\\s/$.?#].[^\\s]*$"
               }

Also applies to: 6382-6389

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/snippets/schemas/v3/index.schema.mdx` around lines 5455 - 5462, The
schema property "baseUrl" currently has type:string and a pattern but is missing
the JSON Schema format; update the "baseUrl" property definitions (the property
named baseUrl in this schema and the corresponding baseUrl occurrence around the
other section) to include format: "url" in addition to the existing type and
pattern so editors and tooling recognize it as a URL and match other host URL
fields in the document.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/web/src/ee/features/sso/sso.ts`:
- Around line 279-287: In the request method, harden the userinfo fetches by
adding request timeouts and response-status checks and by URL-encoding the
username before building the profile URL: use an AbortController (or equivalent)
with a short timeout for both the whoami fetch and the profile fetch, check
whoamiRes.ok and profileRes.ok and throw/return a clear error if either is not
OK, derive username via (await whoamiRes.text()).trim() but pass it through
encodeURIComponent before interpolating into
`${baseUrl}/rest/api/1.0/users/${...}`, and ensure any aborted/timeouted fetches
are handled and surfaced rather than allowing hangs or malformed lookups.

---

Duplicate comments:
In `@packages/schemas/src/v3/identityProvider.schema.ts`:
- Around line 914-921: The generated schema's "baseUrl" property uses an
incorrect/overly permissive regex in identityProvider.schema.ts; update the
source JSON schema (the original schema definition that defines the "baseUrl"
property's "pattern") to the correct URL pattern (fix the pattern value for the
"baseUrl" property) and then regenerate the TypeScript artifacts so
identityProvider.schema.ts is regenerated with the corrected "baseUrl" pattern.

---

Nitpick comments:
In `@docs/snippets/schemas/v3/index.schema.mdx`:
- Around line 5455-5462: The schema property "baseUrl" currently has type:string
and a pattern but is missing the JSON Schema format; update the "baseUrl"
property definitions (the property named baseUrl in this schema and the
corresponding baseUrl occurrence around the other section) to include format:
"url" in addition to the existing type and pattern so editors and tooling
recognize it as a URL and match other host URL fields in the document.

In `@schemas/v3/identityProvider.json`:
- Around line 235-240: The baseUrl property in the identityProvider schema is
missing a format and should include one for consistency with other URL fields;
update the "baseUrl" JSON schema entry (the property named "baseUrl") to add
"format": "uri" alongside the existing "type", "description", "examples", and
"pattern" so tooling/validators recognize it as a URL while preserving the
existing pattern.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9173835 and 764147f.

📒 Files selected for processing (11)

• CHANGELOG.md
• docs/docs/configuration/idp.mdx
• docs/snippets/schemas/v3/identityProvider.schema.mdx
• docs/snippets/schemas/v3/index.schema.mdx
• packages/schemas/src/v3/identityProvider.schema.ts
• packages/schemas/src/v3/identityProvider.type.ts
• packages/schemas/src/v3/index.schema.ts
• packages/schemas/src/v3/index.type.ts
• packages/web/src/ee/features/sso/sso.ts
• packages/web/src/lib/utils.ts
• schemas/v3/identityProvider.json