Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKCE Support for Bitbucket #7327

Open
jimafisk opened this issue Nov 13, 2024 · 0 comments
Open

PKCE Support for Bitbucket #7327

jimafisk opened this issue Nov 13, 2024 · 0 comments
Labels
area: extensions/backends/bitbucket type: feature code contributing to the implementation of a feature and/or user facing functionality

Comments

@jimafisk
Copy link

Is your feature request related to a problem? Please describe.
Bitbucket Cloud currently does not support PKCE (see this) so Decap is currently using Implicit grant instead.

Implicit auth has downsides, per your documentation:

Warning: With Bitbucket implicit grant, the authentication is valid for 1 hour only. After that, the user has to login again, which can lead to data loss if the expiration occurs while content is being edited.

There are other issues like users being locked out from login after tokens expire: #4183

Describe the solution you'd like
There's a feature request for Atlassian's engineering team to add PKCE: https://jira.atlassian.com/browse/BCLOUD-23469

It would be great if interested parties added their support there by:

  1. Logging in and clicking "vote for this issue" in the right sidebar
  2. Leaving a comment explaining why PKCE would be useful to you

Describe alternatives you've considered
Use GitLab, Gitea, Forgejo, or other Git hosts that already support the PKCE workflow.

Additional context
PKCE is generally considered more secure than Implicit Auth for public clients that can't safely store a secret. Per the Postman article Implicit Flow is Dead, Try PKCE Instead:

For native and browser-based JavaScript apps, it is now widely considered a best practice to use the Authorization Code flow with the PKCE extension, instead of the Implicit flow.

@jimafisk jimafisk added the type: feature code contributing to the implementation of a feature and/or user facing functionality label Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area: extensions/backends/bitbucket type: feature code contributing to the implementation of a feature and/or user facing functionality
Projects
None yet
Development

No branches or pull requests

2 participants