Libphutil uses deprecated OAuth1 for Bitbucket login


#1

Observed Behavior:
libphutil’s PhutilBitbucketAuthAdapter still uses OAuth1 (https://github.com/phacility/libphutil/blob/4206849bb05b60f536a1c78e33adee68dac67aa9/src/auth/PhutilBitbucketAuthAdapter.php). However, OAuth1 on Bitbucket was deprecated several years ago and since been end-of-lifed.

Expected Behavior:
libphutil should use OAuth2 on Bitbucket instead of OAuth1.
The Bitbucket OAuth2 endpoints are documented here: https://developer.atlassian.com/bitbucket/api/2/reference/meta/authentication#oauth-2

OAuth1 is no longer supported on Bitbucket and will likely be permanently turned off before April 2019, which would break Phabricator.

Switching from OAuth1 to OAuth2 does not require the creation or registration of a new OAuth consumer key/secret pair. The existing consumer can be used with OAuth2.

Phabricator Version:
Affects all versions of libphutil (and by extension Phabricator).

Reproduction Steps:
Signup in Phabricator using the Bitbucket option. libphutil then redirects the browser to https://bitbucket.org/api/1.0/oauth/authenticate which is Bitbucket’s OAuth1 flow.


#2

Thanks!

We aren’t currently aware of any active customers using Bitbucket auth, so we’ll probably just let this end-of-life and remove it (like we previously removed Persona support) unless some crawl out of the woodwork. It’s likely very easy to update if some do.

(Otherwise, it’s probably a good candidate to become maintained by a third-party as an external extension if there’s a small amount of general interest but no customer interest, and support for package management will likely be in relatively better shape in April 2019. See https://secure.phabricator.com/T5055.)


#3

That’s fair enough.