We are using the Bitbucket Cloud users & groups to authenticate via OAuth to a third party system. So BB Cloud is our identity provider. We are in the situation where workspace admins can login correctly but regular users not.
At the time of writing, there is no V2 counterpart API yet for user group management, see ticket BCLOUD-17103.
So, retrieving the groups needs to be done with this legacy V1 API:
This is indeed the call which happens in the OAuth connector:
As a Workspace Admin user, if I test this call with
curl, using an App Password, I can successfully retrieve the list of groups.
Now the docs of the legacy V1 API mentions this:
The caller must authenticate with administrative rights on the workspace or as a group member to view a group.
Every of our developers, who have accepted the workspace invite, is added to a group
developers which has READ access to a few basic repositories and is added to a group linked to their team. Via the team group, they have WRITE access to some more repositories.
Being member in two groups, I would assume this is enough for the
or as a group member part as defined in the docs.
However, any of these developers are not able to invoke the legacy API call. They get a
- Should the
teamauth scopes be enough for a regular user to find out about the groups he/she is a member of?
- Are more auth scopes required?
- Does this even work for a regular user?