feat(auth): add OAuth 2.0 login flow for Bitbucket Cloud

[ekrako]

Summary

Adds browser-based OAuth 2.0 login for Bitbucket Cloud via bkt auth login --web.
Short-lived access tokens are stored as JSON blobs in the keyring and transparently
refreshed on 401. The existing API-token flow is preserved under --web-token.

Closes #136 (Phase 2).

Changes

OAuth flow (pkg/oauth/flow.go)

• Full authorization code flow: localhost callback server → browser → code exchange → /2.0/user verification
• RefreshToken() for transparent 401-triggered refresh
• Output routed through io.Writer (not stdout) for testability
• User identity: prefers username > account_id, never stores display_name as the API username

Auth command (pkg/cmd/auth/auth.go)

• --web on Cloud runs OAuth flow; --web on DC errors with guidance to use --web-token
• --web-token replaces old --web behavior (opens token management page)
• --web and --web-token are mutually exclusive
• auth status shows OAuth token expiry (hidden when BKT_TOKEN overrides)
• Guard: --web fails fast if OAuth client credentials are missing from the build

Token refresh wiring (pkg/cmdutil/client.go)

• NewCloudClient wires TokenRefresher for OAuth hosts using keyring tokens
• Bearer auth + refresher only when using keyring; BKT_TOKEN overrides default to basic
• Missing client credentials checked at refresh time, not construction — local builds work until token expires

Token detection (pkg/cmdutil/context.go)

• loadHostToken detects JSON blob in keyring → extracts access_token, sets auth_method=oauth
• BKT_TOKEN path now applies BKT_USERNAME and BKT_AUTH_METHOD overrides (fixes OAuth host + env token)
• Requires BKT_USERNAME when overriding an OAuth Cloud host (prevents silent 401 from wrong username)

Credentials injection (pkg/oauth/cloud.go, Makefile, .goreleaser.yaml, release.yml)

• OAuth client_id/client_secret injected at build time via -ldflags -X
• Runtime fallback to BKT_OAUTH_CLIENT_ID/BKT_OAUTH_CLIENT_SECRET env vars for go install builds
• Release workflow validates secrets are non-empty before goreleaser publishes

Cloud client (pkg/bbcloud/client.go)

• Added AuthMethod and TokenRefresher to Options
• Auth method selection: explicit > refresher-implied-bearer > default-basic

Skill docs

• Updated SKILL.md, auth.md (regenerated), headless.md with OAuth env vars and examples

Testing

• go test ./... — 1013 tests pass
• Pre-commit hooks pass
• Manual end-to-end: bkt auth login --web → browser consent → token stored → auth status shows expiry
• Manual: --web without build creds → clear error; --web on DC → error with --web-token guidance
• New tests in pkg/oauth/flow_test.go: authorize URL, code exchange, refresh, state mismatch, full flow, error paths, randomState

Risks

• BKT_OAUTH_CLIENT_ID/BKT_OAUTH_CLIENT_SECRET GitHub secrets must be added by repo admin before the next release (comment posted on feat(auth): OAuth 2.0 login for Cloud and Data Center #136)
• Repo admin should rotate the OAuth consumer credentials since the original values were exposed in issue comments

[sentry]

Codecov Report

❌ Patch coverage is 63.23529% with 125 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
pkg/cmd/auth/auth.go	44.73%	76 Missing and 8 partials ⚠️
pkg/oauth/flow.go	74.35%	16 Missing and 14 partials ⚠️
pkg/cmdutil/client.go	71.05%	9 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

[avivsinai]

I reviewed the auth flow more closely and compared it against a few mature CLIs.

The important bit: I am not comfortable claiming that Bitbucket Cloud can be supported as a true secretless/public-client flow today.

What I found:

• Atlassian's Bitbucket Cloud docs still show client_id:client_secret at token exchange/refresh.
• gh is not a good model here: its localhost web flow also uses an embedded/injected client secret and no PKCE.
• glab is a stronger modern example: public client + PKCE.
• The most relevant Bitbucket-specific precedent I found is Git Credential Manager, and that appears to do PKCE plus a client secret, not PKCE-only.

So as I see it, the choices are:

1. Keep this PR as-is: loopback redirect + state + secret-backed code exchange/refresh. This is the path I believe we can support with confidence right now.
2. Add PKCE on top of the current flow as a hardening improvement, but still keep the client secret for Bitbucket until we have live proof that secretless/public-client works end-to-end.

I would not merge a change that assumes PKCE means we can drop the secret unless we verify that against a real Bitbucket OAuth consumer first.

@ekrako what do you prefer here:

• merge the current secret-backed flow now, or
• update this PR to add PKCE as well before merge?

[ekrako]

Let's merge the current flow as-is — it's working end-to-end and matches gh's approach. I'll open a follow-up PR to add PKCE on top.

[avivsinai]

Sounds good. Merging and releasing… — aviv

…

On Sun, 12 Apr 2026 at 11:52 Eran Krakovsky ***@***.***> wrote: *ekrako* left a comment (avivsinai/bitbucket-cli#152) <#152 (comment)> Let's merge the current flow as-is — it's working end-to-end and matches gh's approach. I'll open a follow-up PR to add PKCE on top. — Reply to this email directly, view it on GitHub <#152 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAD6VPNLY3TIT4XJJVWR734VNKMFAVCNFSM6AAAAACXVFJ5ASVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DEMZRGE2TEMJQHA> . You are receiving this because you commented.Message ID: ***@***.***>

[avivsinai]

Reviewed. Merging the current secret-backed OAuth flow now; PKCE can follow as a hardening pass in a separate PR.