Update OAuth strategy to use api.bitbucket.org for API calls

Summary

The Bitbucket Cloud OAuth strategy currently makes API calls to https://bitbucket.org instead of https://api.bitbucket.org, which violates the upcoming deprecation announced in Bitbucket Cloud API Changelog CHANGE-3052.

Due date: 2026-05-04

Problem

According to CHANGE-3052:

"All token-based authenticated requests (API tokens, app passwords, OAuth 2.0, etc.) must be directed exclusively to https://api.bitbucket.org"

Currently, our OAuth strategy (lib/omni_auth/strategies/bitbucket.rb) is configured with:

  option :client_options, {
    site: 'https://bitbucket.org',
    authorize_url: 'https://bitbucket.org/site/oauth2/authorize',
    token_url: 'https://bitbucket.org/site/oauth2/access_token'
  }

This causes API calls on lines 30 and 39 to resolve incorrectly:

access_token.get('api/2.0/user') → https://bitbucket.org/api/2.0/user ❌
access_token.get('api/2.0/user/emails') → https://bitbucket.org/api/2.0/user/emails ❌

These should target https://api.bitbucket.org/2.0/user and https://api.bitbucket.org/2.0/user/emails respectively.

Proposed Solution

Update the OAuth strategy to use absolute URLs for API calls, or adjust the site configuration to ensure API calls target https://api.bitbucket.org.

Option 1: Use absolute URLs

  def raw_info
    @raw_info ||= access_token.get('https://api.bitbucket.org/2.0/user').parsed
  end

  def emails
    email_response = access_token.get('https://api.bitbucket.org/2.0/user/emails').parsed
    @emails ||= (email_response && email_response['values']) || []
  end

Option 2: Adjust site configuration (may affect other behavior)

  option :client_options, {
    site: 'https://api.bitbucket.org',
    authorize_url: 'https://bitbucket.org/site/oauth2/authorize',
    token_url: 'https://bitbucket.org/site/oauth2/access_token'
  }

Impact

Severity: High (API will stop working after May 4th, 2026)
Affected Component: Bitbucket Cloud OAuth authentication and user import
Affected File: lib/omni_auth/strategies/bitbucket.rb (lines 10-14, 30, 39)

This is part of a broader set of Bitbucket API changes. See also:

https://developer.atlassian.com/cloud/bitbucket/changelog/#CHANGE-3052
Bitbucket Cloud importer already uses correct base URI (https://api.bitbucket.org/) in lib/bitbucket/connection.rb

Checklist

Update OAuth strategy to use https://api.bitbucket.org for API calls
Test OAuth authentication flow with Bitbucket Cloud
Verify token refresh still works correctly
Test user import functionality
Add/update specs to cover the change
Update documentation if necessary

References

Edited Feb 11, 2026 by Rez