For all of our SaaS applications we require that our users be authenticated via a Google OpenID Connect identity provider. This typically involves us creating a new set of OAuth 2.0 client credentials in our Google Cloud Platform account, and then configuring the client application, Bitbucket, in this case, with the credentials, endpoints, and claims constraints.
This requirement allows us to centrally enforce specific authentication requirements (password complexity, 2FA, ...) instead of having to repeat the configuration in multiple places. It also allows us to ensure that credentials are only ever persisted in one place (Google).
As a bonus, being able to require that authentication only occurs via this OpenID Connect identity provider would be great.