Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-19557

OAuth 2.0 authorization and consent grant fails with an "invalid request: The provided value for the input parameter 'redirect_uri' is not valid" error if it's performed before logging in Bitbucket

XMLWordPrintable

      Issue Summary

      OAuth 2.0 authorization and consent grant fails with an "invalid request: The provided value for the input parameter 'redirect_uri' is not valid" error if they are performed before the user logs on to Bitbucket.

      Details

      If there is no active session in Bitbucket, when the <BITBUCKET_BASE_URL>/rest/oauth2/latest/authorize and then <BITBUCKET_BASE_URL>/plugins/servlet/oauth2/consent pages are accessed on the browser, the user will be redirected to the Bitbucket login page first.

      After the user logs in to Bitbucket, the POST <BITBUCKET_BASE_URL>/j_atl_security_check call redirects back to the <BITBUCKET_BASE_URL>/plugins/servlet/oauth2/consent page. This URL is called with a redirect_uri parameter for the external app's URL.

      The issue is that the redirect_uri parameter generated is invalid. It only contains a single "/" after the protocol (for example: "https:/www.google.com" instead of "https://www.google.com").

       

      If there is an active session in Bitbucket (user is currently logged on) when the consent page is accessed, there are no issues.

       

      This is reproducible on Data Center: yes

      Steps to Reproduce

      • Log on to Bitbucket as an admin
      • Register an external app in Bitbucket and create an incoming link in the Admin > Application Links page
      • Log out of Bitbucket
      • Request authorization code by redirecting the user to the /rest/oauth2/latest/authorize page with the following query parameters: 
        curl <BITBUCKET_BASE_URL>/rest/oauth2/latest/authorize?client_id=CLIENT_ID&redirect_uri=https://www.google.com&response_type=code&state=STATE&scope=SCOPE

        Note: in this sample, the redirect_uri is https://www.google.com

      • Since the user is not logged in, the user is redirected to the Bitbucket log in page
      • Log in to Bitbucket
      • After logging in, the use is sent back to the consent page:
        Now, the "Redirect URL" shown is invalid. It only has one "/" char instead of "//".
      • When the "Allow" button is clicked, the error "invalid_request: The provided value for the input parameter 'redirect_uri' is not valid." is shown:

       

      Reference: Bitbucket OAuth 2.0 provider API

      Expected Results

      The Redirect URL shown in the consent page is valid and the Oauth 2.0 consent grant completes successfully.

      Actual Results

      The Redirect URL shown in the consent page is invalid. It only contains one "/" char instead of "//" after the protocol.

      When the "Allow" button is clicked on the consent page, the error "invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. " is shown.

      Workaround

      Log on to Bitbucket before accessing the OAuth 2.0 authorization and consent pages.

        1. unhappy-path.png
          unhappy-path.png
          337 kB
        2. j_atl_security_check-invalid-redirect_uri.png
          j_atl_security_check-invalid-redirect_uri.png
          897 kB
        3. instenv-336101-iyqq.instenv.internal.atlassian.com.rproxy.goskope.com.har
          3.66 MB
        4. happy-path.png
          happy-path.png
          325 kB

              mgoyal2@atlassian.com Manish
              jmariano@atlassian.com JP Mariano
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: