Obtain authorised user's username from API


#1

Hi

I’m developing a tool that integrates with Bitbucket Server.

Ideally, users of my tool should be able to go through the OAuth flow against a Bitbucket Server instance (having already set up an application link to my tool) to obtain an OAuth access token.

From within my tool, users should then be able to execute operations against a Bitbucket Server instance’s REST API and execute git operations (eg. git clone https://mybitbucketserver:7990/scm/proj/repo1.git) using that access token.

The access tokens I’m generating are OAuth v1 because (as far as I can tell) Bitbucket Server doesn’t support OAuth2.

Since it’s not possible to use OAuth v1 tokens to execute git operations, I then need to add a personal access token via Bitbucket Server’s API and use that for the git operations.

To generate this personal access token via the API, I need to know the username of the user for which I have an OAuth token.

I’ve been unable to find a Bitbucket Server API endpoint that will return the username for the currently authorised user (similar to Jira’s /rest/api/2/myself). I opened a support request before posting here and they confirmed that one does not exist for Bitbucket Server.

How do you recommend I integrate my tool with Bitbucket Server? Is there a simpler method that I’ve missed?

I’ve purposefully avoided requesting users for their username because to me, the whole point of OAuth is to avoid collecting usernames and passwords (not to mention some users inevitably submitting an incorrect username).

Thanks
Ali


#2

Ali,

Every HTTP response that comes back from the server should have an X-AUSERNAME header attached which provides the username for the authenticated user (if a user is authenticated). Have you checked that? You should be able to execute any REST request you’d like and “see” the user on the header. (Even a request that returns a 404 response will have the header present, so you could actually try to use /rest/api/1.0/myself, for example, and even though it will 404 it should return the information you need.)

Edit: Since we don’t have a myself endpoint, the one I’d suggest would be /rest/api/1.0/application-properties. It doesn’t fail, so it won’t leave 404s in the access logs that might confuse an administrator, and it also doesn’t do any real work, so it won’t be putting load on the server. You can ignore the response body (which will contain details about the version of Bitbucket Server in use) and just look at the X-AUSERNAME header.

Best regards,
Bryan Turner
Atlassian Bitbucket


#3

Hi Bryan

Thanks for the fast response. I hadn’t thought to check the header but that sounds like what I’m after.

Much appreciated :slight_smile:
Ali

PS good point about the application-properties endpoint.


#4

What about using git ssh with user’s private/ public key pair? If the tool is installed on the user’s desktop