feat(auth): add PKCE to OAuth 2.0 login flow#162
Conversation
Layer PKCE (RFC 7636, S256) onto the existing authorization code flow as defense-in-depth against code interception. Client secret is preserved — Bitbucket Cloud still requires it at token exchange/refresh. Closes avivsinai#153
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
avivsinai
left a comment
There was a problem hiding this comment.
Blocking pending verification.
As of April 15, 2026, Bitbucket Cloud's official OAuth 2.0 docs still describe the authorization-code flow as:
- authorize:
https://bitbucket.org/site/oauth2/authorize?client_id={client_id}&response_type=code - token: POST
https://bitbucket.org/site/oauth2/access_tokenusing Basic auth withclient_id:secret
Source: https://developer.atlassian.com/cloud/bitbucket/rest/intro/#oauth-2-0
The February 4, 2026 Bitbucket Cloud auth-change notice also enumerates the current OAuth 2.0 behavior changes and does not mention PKCE, code_challenge, or code_verifier:
https://developer.atlassian.com/cloud/bitbucket/changelog/#CHANGE-3052
Inference from those official sources: PKCE support is at best undocumented. I could not complete a live end-to-end check from this machine because there is no Bitbucket Cloud OAuth consumer configured here and no BKT_OAUTH_CLIENT_* credentials are present.
Please add a real Bitbucket Cloud validation that code_challenge + code_verifier are accepted before we merge this, or keep the current unsupported/unverified posture in code/docs until that evidence exists.
Copy the PKCE OAuth files from PR #162 onto a short-lived branch and add a manual workflow that builds bkt with the repository OAuth client secrets embedded.\n\nThis keeps the verification path off the fork PR while producing a binary we can use for a real Bitbucket Cloud login test. Refs GH-162\nCo-Authored-By: OpenAI Codex <noreply@openai.com>
Scope the verification workflow to pushes on the temporary branch so GitHub runs it without requiring the workflow file to exist on master.\n\nThis keeps the footprint isolated to the scratch branch and preserves the manual trigger. Refs GH-162\nCo-Authored-By: OpenAI Codex <noreply@openai.com>
Use macos-latest for the temporary verification workflow so the uploaded bkt artifact is runnable on the local machine for the live Bitbucket Cloud login check. Refs GH-162\nCo-Authored-By: OpenAI Codex <noreply@openai.com>
Add the missing Unreleased notes for the notable changes merged after v0.23.0 so the next release can be cut through the supported release PR flow. This covers the Data Center PR comments details view, PKCE in the Bitbucket Cloud OAuth login flow, and the release-pipeline attestation/gate tightening. Refs GH-110 Refs GH-162 Refs GH-164
Summary
Adds PKCE (RFC 7636, S256 method) to the OAuth 2.0 authorization code flow as defense-in-depth against authorization code interception. The client secret is preserved — Bitbucket Cloud still requires it at token exchange/refresh.
Closes #153
Changes
generatePKCE()helper andpkceParamstype;buildAuthorizeURLnow includescode_challenge+code_challenge_method=S256;exchangeCodenow includescode_verifierin POST bodyTestGeneratePKCE(verifier length, charset, S256 derivation, uniqueness); updatedTestBuildAuthorizeURLandTestExchangeCodeto assert PKCE paramsTesting
go test ./...— 1165 tests passTestGeneratePKCEverifies verifier charset/length and challenge derivation against known SHA-256 outputTestBuildAuthorizeURLassertscode_challengeandcode_challenge_method=S256in authorize URLTestExchangeCodeassertscode_verifierin token exchange POST bodyRisks
None — stdlib only (
crypto/sha256,encoding/base64), isolated topkg/oauth, no public API changes