CSRF error on OAuth login

Issue #2696 resolved
created an issue

Hi, when logging into Bitbucket, with an OAuth token, I am getting the attached error. Thanks.

Comments (10)

  1. Dylan Etkin


    Do you mean openId or OAuth?

    You are not ment to be able to login to the site via OAuth. Instead, calls to your REST API will be authenticated via OAuth.



  2. Dylan Etkin

    Hi Matt,

    Thanks for the details, that makes more sense. We do have a bug with that part of the workflow. I believe if the user logs in first then they should be able to authorize your sites access.

    That said, we have fixed the issue and will be rolling it out tomorrow.

    Sorry for the trouble and thanks for reporting,


  3. Jesper Noehr

    @Matt Sherman,

    So here's the issue: There's a discrepancy between using api.bitbucket.org and bitbucket.org/!api/, in the sense that redirecting users for authorization on api.bb.org will actually post to bb.org directly, and cause a CSRF error.

    The easiest way to proceed is to use a new set of URLs, and I've updated the documentation on http://confluence.atlassian.com/display/BBDEV/OAuth+on+Bitbucket with these.

    Tl;dr: Stop using api.bb.org, and instead use bb.org/!api/ instead, and everything should be hunky dory.

  4. rob hinds
    • changed status to open


    I am encountering the exact same problem attempting to complete the OAuth process with BitBucket (exact same error screen as the originally attached screenshot). The link provided by Jseper in #6 is invalid, but suggests this link (normal BitBucket API docs): https://confluence.atlassian.com/display/BITBUCKET/OAuth+on+Bitbucket

    I am using the following URLs:

    Request token: https://bitbucket.org/api/1.0/oauth/request_token/ Authenticate: https://bitbucket.org/api/1.0/oauth/authenticate/ Access token: https://bitbucket.org/api/1.0/oauth/access_token/

    Upon hitting the authenticate URL I am prompted to login (regardless of whether I am laready logged in to BB at the time), then on hitting submit I get teh CSRF error page as per attached.


  5. Log in to comment