### The issue When signing into GitLab using a Bitbucket Cloud account, we map the logged in GitLab user to their Bitbucket user using their `username`. However, you can change your username on Bitbucket at any time. If someone were to change their username on Bitbucket after using it to log into GitLab, another Bitbucket user could pick up the newly-available username, log into GitLab with their own Bitbucket credentials and have access to the GitLab account of the person who originally owned that username. ### Steps to recreate 1. Create a Bitbucket Cloud account. I made an account with the username `sword-gitlab`. 2. Integrate BBC into your application and allow SSO for `bitbucket` 3. Sign into GitLab with the Bitbucket you just created (`sword-gitlab`). Once you're successfully signed in, sign out. 4. Go to bitbucket.com, sign in with the account you used to sign in to used to SSO into GitLab. 5. Change your Bitbucket username to something new (`sword-gitlab` -> `samword-gitlab`). 6. Sign out of this Bitbucket account, and create a new Bitbucket user with your first user's username now that it's available (`sword-gitlab` but with a new email and password). 7. Return to GitLab and sign in with Bitbucket again using your second user's Bitbucket credentials (`sword-gitlab` but using new email and password). Clearing cookies or using a private tab works best to ensure you're signing into Bitbucket with your second user's credentials. 8. See that you have logged into the same account as before with the new credentials. 9. Attempting to sign in again with the first credentials results in a "Email has already been taken" error. ### Potential fix We define `uid` as `username` in our [Bitbucket OAuth strategy](https://gitlab.com/gitlab-org/gitlab/-/blob/f5086498cd33f6b261be633980f145646c32f0e6/lib/omni_auth/strategies/bitbucket.rb#L16-18). We should really be using the Atlassian account UUID which is available in [the same API response we use to get the user's username](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-user-get). The fix should be as simple as changing [this line](https://gitlab.com/gitlab-org/gitlab/-/blob/f5086498cd33f6b261be633980f145646c32f0e6/lib/omni_auth/strategies/bitbucket.rb#L17) to `raw_info['uuid']`. This should fix new Bitbucket sign-ins, but will not likely be complete for existing identities. ### Plan https://gitlab.com/gitlab-org/gitlab/-/issues/452426#note_1846233592