Authentication failure using <user>/<password or personal access token> in Bitbucket server

[Enrice]

Jenkins and plugins versions report

Environment

jenkins 2.479.1
plugin version [895.v15dc41668f03](https://plugins.jenkins.io/cloudbees-bitbucket-branch-source)
bitbucket data center 8.19.9

This is a Multibranch Pipeline Events log. As can be seen, authentication works for listing the branches. But the git fetch does not.

[Tue Nov 05 12:34:20 CET 2024] Received com.cloudbees.jenkins.plugins.bitbucket.hooks.NativeServerPushHookProcessor$HeadEvent UPDATED event from *** ⇒ https://***/bitbucket-scmsource-hook/notify with timestamp Tue Nov 05 12:34:15 CET 2024
Connecting to https://*** using ***/****** (jenkins' Bitbucket technical user)
Repository type: Git
Looking up ***/*** for branches
Checking branch release/np-1.31 from ***/***
      ‘Jenkinsfile’ found
    Met criteria
Changes detected: release/np-1.31 (7ed4c9ea362282c445dc1d793d1cf633967a08bf → 17b07cbe0f997b8654b8f1d440e950046d1f53d8)
ERROR: Exception: java.io.IOException: hudson.plugins.git.GitException: Command "git fetch --tags --force --progress --prune -- origin +refs/heads/release/np-1.31:refs/remotes/origin/release/np-1.31" returned status code 128:
stdout: 
stderr: fatal: Authentication failed for '***'


Scheduled build for branch: release/np-1.31

  1 branches were processed (query completed)

What Operating System are you using (both controller, and any agents involved in the problem)?

Rocky Linux 9

Reproduction steps

see log

Expected Results

git fetch should be authenticated

Actual Results

it is not

Anything else?

No response

Are you interested in contributing a fix?

No response

[nfalco79]

Please report the actual credentials type are you using (ssh, oauth2, app password)?
There was a plugin version for which it worked?

[nfalco79]

Do you have cache enabled (maybe branch list was cached)?
If you trigger a manual repository scan does it works?

[Enrice]

credentials type is user/password, while password is actually an http access token with admin rights on the project.
last plugin version that worked was 886.v44cf5e4ecec5 - downgrading instantly works

no caching of the branch list as far as I can tell
when triggered manually the same happens.

[Enrice]

I tried with 906.vedf430cb_4481 now, same.

[nfalco79]

credentials type is user/password, while password is actually an http access token with admin rights on the project.

Do you mean that you have configured an OAuth2 credential with secretId and secretPassword as a Username/Password Jenkins credentials or in the Jenkins credential you have setup as user x-auth-token and as password <token value> ?

The first one works and follow the documentation, the second one no.

We have configured OAuth2 for bibtucket cloud and scan/git clone works so I something is missing to reproduce this issue.

[nfalco79]

Changes in release https://github.com/jenkinsci/bitbucket-branch-source-plugin/releases/tag/895.v15dc41668f03 are:

1. one re-throw exception that was eat
2. other one is about the key in cache (but in your case is disabled)
3. Update jenkins dependencies (that you will get also if this plugin did not move forward)

[Enrice]

credentials type is user/password, while password is actually an http access token with admin rights on the project.

Do you mean that you have configured an OAuth2 credential with secretId and secretPassword as a Username/Password Jenkins credentials or in the Jenkins credential you have setup as user x-auth-token and as password ?

The first one works and follow the documentation, the second one no.

We have configured OAuth2 for bibtucket cloud and scan/git clone works so I something is missing to reproduce this issue.

configured token for CI user in bitbucket here:

credentials defined in jenkins:

used in the job:

Bitbucket Datacenter here. No cloud.
Plz notice I updated latest working version above which was 886, all later ones fail with mentioned error.

[nfalco79]

Clonse since this is not a bug but a requested feature (I know from this issue that it worked in some way before 886).

[Enrice]

please reopen! I think you mixed sth. up. this IS a bug, not a feature request.

reason:
I am NOT!!! using a repository or project token, which would have to be used with bearer authentication, but a PERSONAL ACCESS TOKEN, which is used instead of the password only. This is totally transparent to jenkins or any plugin and will be usable in all basic authentication scenarios.

see again:

[nfalco79]

Ok, the cause than could that is it catched to be a BitbucketAccessTokenAuthenticator where only the token is moved forward without username. From the log it's impossible to understand which kind of authenticator is used

[Enrice]

To rule out token handling I tried with plain user / password (so essentially replace the token by the REAL password), and it didn't work either.

So this has nothing to do with HTTP access token! (I also changed the title)

[nfalco79]

The AppPassword for bitcucket cloud works and it's a username/password couple credentials in place of real user/password. In Bitbucket cloud REST API does not allow the use of real user/password.
Unfortunately the guide in the README.MD to startup a local server
server: atlas-run-standalone -u 6.3.0 --product bitbucket --version 5.2.0 --data-version 5.2.0
does not work anymore (I used at the time of my first contribution to this plugin). Altassian SDK is not able to run server > 7.21 on windows so I'm tring using docker image to run a local bitbucket server 8.16

[Enrice]

plz note the update in my Environment above. I use bitbucket data center 8.19.9 (LTS)

[Enrice]

just to narrow down the possibly causing changes: first broken version was 887.va_d359b_3d2d8d