5

I have worked out to set a new team in concourse ci and can login as Bitbucket users.

fly set-team -n main \
  --basic-auth-username myuser \
  --basic-auth-password xxxx \
  --generic-oauth-display-name bitbucket \
  --generic-oauth-client-id xxxx  \
  --generic-oauth-client-secret xxxx \
  --generic-oauth-auth-url https://bitbucket.org/site/oauth2/authorize \
  --generic-oauth-token-url https://bitbucket.org/site/oauth2/access_token

The key to set it successfully is, callback url for OAuth consumer in bitbucket need be concourse ci web site only (no /auth/oauth/callback in callback url)

Now I found a problem. Any users (even new registered free user in bitbucket cloud) can login my concourse ci server.

After did some research, I got this

Generic oAuth

The --generic-oauth-* flags configure a generic oAuth provider which performs no additional verification about the individual user signing in by default. It should only be used with internal auth systems in this way. If it were used to configure Google or Twitter oAuth, for example, it would permit just about every person on the internet to create pipelines. It'd be mighty generous. If you need verification, make sure you are using the --generic-oauth-scope flag.

So are there any ways to stop the unauthorised bitbucket cloud users to login, which should be only limit to my organisation? Same as github's option --github-auth-organization=ORG

I try to add --generic-oauth-scope concourse.main But always get the error:

failed to verify token

I also read OAuth on Bitbucket Cloud - Scopes and try with most scopes, such as

--generic-oauth-scope account

Still get same error.

What should I put in the scope?

Community
  • 1
  • 1
Bill
  • 2,494
  • 5
  • 26
  • 61

2 Answers2

3

For Concourse CI >= v.3.7 and <= v.4.0 you can use the the dedicated Bitbucket Cloud authentication provider. I've written a blog post about this but the gist is to use 

fly -t ci set-team -n dev --bitbucket-cloud-auth-client-id=xxx --bitbucket-cloud-auth-client-secret=xxx --bitbucket-cloud-auth-repository=myorg/myrepo`

Sadly, Concourse 4.0's new user model no longer supports bitbucket cloud.

There is no longer support for BitBucket auth. Sorry - Dex doesn't support it. :( However we do support generic LDAP, oAuth, and OIDC connectors, which you may be able to use instead.

Johannes Rudolph
  • 35,298
  • 14
  • 114
  • 172
1

Concourse master branch got BitBucket Cloud OAuth back, see

As of today (2018-11-15), there is no release yet supporting BitBucket Cloud OAuth, but the next release, which is due soon, will :-)

marco.m
  • 4,573
  • 2
  • 26
  • 41