feat(auth): OAuth 2.0 login for Cloud and Data Center

[avivsinai]

Context

bkt auth login currently uses API tokens (Cloud) and PATs (DC) with copy-paste. Both Bitbucket Cloud and Data Center support OAuth 2.0 for API access, which would enable a browser-based login flow similar to gh auth login --web.

This came up during review of #133 and triage of #121 — the auth UX has room to improve.

What Bitbucket supports

	Cloud	DC
Auth Code Grant (3LO)	Yes	Yes
PKCE	No	Yes
Device Flow (RFC 8628)	No	No
Localhost redirect (RFC 8252)	Yes	Likely (admin-controlled)

Sources:

• Cloud: https://developer.atlassian.com/cloud/bitbucket/rest/intro/#oauth-2-0
• DC: https://confluence.atlassian.com/bitbucketserver/bitbucket-oauth-2-0-provider-api-1108483661.html

What gh does

gh auth login --web uses OAuth device flow (RFC 8628), falling back to auth code + localhost server. Bitbucket doesn't support device flow on either platform, so bkt would use the auth-code + localhost-server pattern.

Rough implementation sketch

Cloud:

1. Register an OAuth consumer in a bkt-owned workspace (scopes: repository, pullrequest, account, etc.)
2. bkt auth login --web starts a temporary localhost HTTP server, opens browser to Bitbucket's authorize URL
3. User grants access, Bitbucket redirects to localhost with auth code
4. Exchange code for access_token + refresh_token (2h TTL, auto-refresh)
5. Store tokens in config, auto-refresh on expiry

Caveat: Cloud lacks PKCE, so the client_secret ships with the binary. Same trade-off gh makes.

DC:
Same flow but with PKCE (no embedded secret needed). Endpoints at /rest/oauth2/latest/.... Requires admin to set up an Application Link.

Trade-offs vs current auth

• Better UX: one-click browser flow vs copy-paste tokens
• Better security: short-lived tokens (2h) with auto-refresh vs long-lived PATs
• More setup: OAuth consumer registration (Cloud), Application Links (DC)
• Embedded secret: Cloud requires client_secret in binary (no PKCE)

Scope

This would add a --web / --oauth flow alongside the existing token-based login, not replace it. Token-based auth remains the default for headless/CI use cases (especially with BKT_TOKEN).

Not blocking anything — just capturing the research while it's fresh.

[ekrako]

Implementation Context — OAuth 2.0 Login (Cloud)

Branch: 136-oauth-login-cloud
Scope: Cloud only (DC OAuth is a follow-up)

---

Goal

Add a browser-based OAuth 2.0 login flow (bkt auth login --web) for Bitbucket Cloud, alongside the existing API-token-paste flow. Short-lived access tokens (2h) with transparent auto-refresh replace long-lived static tokens.

Design Decisions

Decision	Choice	Rationale
OAuth grant type	Auth Code + localhost redirect (RFC 8252)	Cloud has no Device Flow; PKCE not supported on Cloud
Client secret	Embedded in binary	Cloud requires it (no PKCE). Same trade-off as gh.
Token storage format	JSON blob in same keyring key	Avoids multiplying keyring entries; keeps secret store API unchanged
Token refresh	Transparent in httpx.Client on 401	Best UX — commands just work without manual refresh
Auth method value	"oauth" added to allowed set	Distinguishes OAuth hosts from basic/bearer for client wiring

Prerequisites

• Register an OAuth consumer in a bkt-owned Bitbucket Cloud workspace
  • Callback URL: http://127.0.0.1:<port>/callback (port chosen at runtime)
  • Scopes: account, repository, pullrequest, issue

OAuth Flow

1. bkt auth login bitbucket.org --web
2. CLI picks random port, starts localhost server, opens browser to authorize URL
3. User grants access → Bitbucket redirects to localhost with auth code
4. CLI exchanges code for access_token + refresh_token
5. Verifies token via /2.0/user, stores JSON blob in keyring
6. Saves host config (auth_method=oauth), prints success

Token Refresh

1. httpx.Client gets 401 on API request
2. Calls TokenRefresher callback → refreshes via grant_type=refresh_token
3. Updates keyring with new tokens, retries original request
4. If refresh fails → error prompting re-login

Token Storage

Same keyring key (host/<key>/token). OAuth hosts store JSON:

{ "access_token": "...", "refresh_token": "...", "expires_at": "2026-04-08T14:00:00Z" }

Non-OAuth hosts store plain string (unchanged). Detection: value starts with {.

Files to Create

File	Purpose
pkg/oauth/server.go	Localhost HTTP callback server
pkg/oauth/flow.go	OAuth flow orchestration (authorize URL, open browser, exchange code)
pkg/oauth/token.go	Token types, refresh logic, expiry checks
pkg/oauth/cloud.go	Cloud-specific constants (endpoints, client_id, scopes)

Files to Modify

• pkg/cmd/auth/auth.go — --web flag, branch to OAuth flow
• pkg/httpx/client.go — TokenRefresher callback, call on 401 before retry
• internal/config/config.go — allow "oauth" auth method
• internal/secret/store.go — JSON blob marshal/unmarshal helpers
• pkg/cmdutil/client.go — wire TokenRefresher when auth_method=oauth
• pkg/cmdutil/context.go — load OAuth token blob, extract access_token

Acceptance Criteria

• bkt auth login bitbucket.org --web completes the full OAuth browser flow
• Access + refresh tokens stored as JSON blob in keyring
• bkt auth status shows OAuth expiry info
• API calls transparently refresh expired tokens on 401
• Existing token-paste login unchanged (no --web = current behavior)
• --web with --kind dc returns clear error
• Tests cover: localhost server, code exchange, token refresh, 401-retry, JSON blob storage
• bkt auth logout clears OAuth tokens

Out of Scope

• DC OAuth (PKCE + Application Links)
• Device flow (Bitbucket doesn't support RFC 8628)
• User-provided OAuth consumers
• Token revocation on logout via API

[ekrako]

OAuth consumer registration needed before Phase 2

To complete the Cloud OAuth login flow, we need to register a Bitbucket OAuth consumer (an "OAuth app") in a Bitbucket workspace. This is what provides the client_id and client_secret that ship in the binary (same model as gh).

A few notes:

• The consumer only needs to be created once, in any workspace you control — it works for all Bitbucket users regardless of which workspace it's registered in
• Required scopes: account, repository, pullrequest, issue, pipeline, webhook
• Callback URL to register: http://127.0.0.1 (or http://127.0.0.1/callback)
• The "private consumer" checkbox must be checked to get a client_secret

@avivsinai — do you want me to register the bkt OAuth app in my workspace and share the credentials, or would you prefer to register it yourself in a workspace you control?

[ekrako]

Action needed: add GitHub secrets + remove credentials from comment

The OAuth credentials are injected at build time via -ldflags instead of being hardcoded in source. The release workflow and goreleaser config already reference two repository secrets:

gh secret set BKT_OAUTH_CLIENT_ID --repo avivsinai/bitbucket-cli
gh secret set BKT_OAUTH_CLIENT_SECRET --repo avivsinai/bitbucket-cli

Also, please edit your earlier comment to remove the client_id and client_secret values — they're currently visible in the issue history. After adding the secrets, consider rotating the consumer credentials from the Bitbucket workspace OAuth settings since the old values were exposed.