Post Webhooks for Bitbucket app provides the ability to add an authentication mechanism to the webhook requests, ensuring that only authorized parties can access the webhook endpoint.
The choice of authentication type, Basic, Bearer, or Kerberos, depends on the specific authentication mechanism you have in place for your Bitbucket server. Those authentication types differ in the way they handle authentication and provide access to resources.
Basic authentication is a widely supported authentication method that uses a username and password to authenticate requests:
credentials are sent in the HTTP request headers, typically encoded in Base64;
widely supported and relatively easy to implement;
may be less secure compared to other authentication methods as the credentials are sent with each request.
Bearer authentication uses a bearer token to authenticate requests. This type of authentication is commonly used with APIs that require token-based authentication:
the bearer token is obtained through a separate authentication process (e.g., OAuth) and is then included in the request headers.
token-based authentication is stateless, meaning the server does not need to store session information.
provides more flexibility and scalability compared to basic authentication, as tokens can have different expiration times and can be easily revoked.
Kerberos authentication is available since 3.22.12
Kerberos is a network authentication protocol that uses tickets to authenticate users and services in a secure manner:
provides single sign-on capabilities, allowing users to authenticate once and access multiple resources without re-entering their credentials;
relies on a trusted third-party authentication server (Kerberos Key Distribution Center or KDC) and uses symmetric key cryptography;
requires Kerberos client libraries to be installed and configured on the client and server machines;
offers strong security and is commonly used in enterprise environments;
requires a username and password for authentication.
Kerberos is a experimental API.
Be sure Bitbucket was started with proper configuration e.g.:
JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false"
Afterwards, you can specify a
passwordin the authentication section of the configuration screen.
Enabling Authentication option is available on all configuration levels during the webhook creation:
Find our application Post Webhooks on the level that suits your needs best: Global, Project, or Repository.
Click on Add webhook button in the left corner and create a new configuration.
Tick the checkbox Enable Authentication
Choose the Authentication type and enter credentials to authenticate requests.
After you have specified the rest of the necessary parameters click on the Save button.