Make OAuth2 endpoints available on api.bitbucket.org subdomain.

Issue #11694 wontfix
Alexandru G
created an issue

Considering that Bitbucket exposes OAuth1 endpoints via https://api.bitbucket.org/1.0/oauth/<something> could be done something similar for OAuth2 ? (which currently is at https://bitbucket.org/site/oauth2/<something>)

Maybe something like https://api.bitbucket.org/1.0/oauth2/<something>.

This could be useful for API client libraries which defined their base URL as https://api.bitbucket.org and at this point in time they need to be reconfigured before and after making a request on a OAuth2 endpoint (like https://bitbucket.org/site/oauth2/access_token for example).

Comments (2)

  1. Erik van Zijst staff

    The reason the OAuth 2 URLs live on the bitbucket.org domain and not on api.bitbucket.org is because some grant types involve interactive browser access. The /authorize endpoint relies on the user's session cookie to authenticate the end user.

    Since we do not support session cookie authentication on our api.bitbucket.org domain, we cannot host the authorize endpoint there. Also, since we did not want to end up hosting the OAuth authorize and access_token endpoints on different domains, we ended up with both on bitbucket.org.

    OAuth 1 is slightly different as it does straddle both domains, but this is somewhat due to historical reasons and not something we wanted to continue with OAuth 2.

  2. Log in to comment