dexidp
[bitbucket] includeTeamGroups only works for Workspace Admin users
Expected behavior (what you expected to happen)
Any Bitbucket Cloud User is able to retrieve in which group he/she is in during the login process
Actual behavior (what actually happened)
Only Bitbucket Cloud Workspace Admins seem to have access to the API endpoint used to retrieve the groups.
Steps to reproduce
- Create an organization on Bitbucket cloud
- Setup your app with Dex and Bitbucket Cloud connector with
includeTeamGroupsactive - Create 2 users and put one in a group with Workspace Admin access, the other with just write access to repositories
- Let both login via Dex.
- Only the user with Workspace Admin rights will be able to login, the other gets an HTTP 403 from Bitbucket Cloud.
Environment
Not related to Dex, as the problem lies on Bitbucket Cloud side.
Anything else we should know?
I escalated this to Atlassian and got confirmation that the endpoint used to retrieve the code:
GET https://api.bitbucket.org/1.0/groups/{workspace_id}/
Here is part of my communication with Atlassian:
The suggested alternative call only returns the workspaces someone is a member of, not the groups within the workspace, which means this is not a solution either.
@ringods Hello! Thanks for the report. I will try to take the time to debug this problem.
@nabokihms there probably is not a solution at this moment due to the shortcomings in the Bitbucket API migration process from V1 to V2. But from my communication with Atlassian, I suspect that no call will be introduced for regular users to find out in which User Groups they are in, within an organization.
Frankly, I think that you are right in your suspicions.
With a lack of integration tests in dex, we can't consolidate connectors logic, and Bitbucket Cloud API is not the most stable API. There are probably some other bugs. The only thing I want to do is to see the problem with my own eyes.
@ringods Hello again, you are right. The groups endpoint only works for administrators, and there is no replacement for it.
I realized that I had forgotten to ask you more about your use case, so... Let me tell you about mine first.
Assume there is a team of developers. They want to authenticate in a Kubernetes cluster using BitbucketCloud, and they already have a team (workspace) on bitbucket.org. However, using the teams filter from connector settings, they can't grainily control authorization or permissions because they are in the same team. In my opinion, this is the most frequent case to use the includeTeamGroups option.
My intention in adding this option was to help such teams and to provide the ability for them to control their groups. It looks like there is a solution to how we can fix this option with the current bitbucket API state. The main idea is to use Client Credentials grant. According to documentation, the oauth2 consumer access token represents not an end-user, but the owner of the client/consumer. With this token, dex can retrieve the statistic of groups of the team in which we have created the consumer.
WDYT about it?
@nabokihms this indeed might work.
On our end, we will not go forward with the Bitbucket Cloud connector anymore. We are using Concourse which integrates dex for auth. Due to this issue, we switched our identity provider to the Microsoft connector. We are all logging in with our company Microsoft account and have access to all the Active Directory groups to provide granular access within Concourse. Works like a charm, with the only downside that we have to do our group management in two places: in Bitbucket Cloud for Git repo access and in AD for CI server access.
It looks like there is a solution to how we can fix this option with the current bitbucket API state. WDYT about it?
has this been taken any further?
