Skip to main content
Skip table of contents

How to choose an authentication type?

Post Webhooks for Bitbucket app provides the ability to add an authentication mechanism to the webhook requests, ensuring that only authorized parties can access the webhook endpoint.

The choice of authentication type, Basic, Bearer, or Kerberos, depends on the specific authentication mechanism you have in place for your Bitbucket server. Those authentication types differ in the way they handle authentication and provide access to resources.

Overview

Basic Authentication

Basic authentication is a widely supported authentication method that uses a username and password to authenticate requests:

  • credentials are sent in the HTTP request headers, typically encoded in Base64;

  • widely supported and relatively easy to implement;

  • may be less secure compared to other authentication methods as the credentials are sent with each request.

Bearer Authentication

Bearer authentication uses a bearer token to authenticate requests. This type of authentication is commonly used with APIs that require token-based authentication:

  • the bearer token is obtained through a separate authentication process (e.g., OAuth) and is then included in the request headers.

  • token-based authentication is stateless, meaning the server does not need to store session information.

  • provides more flexibility and scalability compared to basic authentication, as tokens can have different expiration times and can be easily revoked.

Kerberos Authentication

Kerberos authentication is available since 3.22.12

Kerberos is a network authentication protocol that uses tickets to authenticate users and services in a secure manner:

  • provides single sign-on capabilities, allowing users to authenticate once and access multiple resources without re-entering their credentials;

  • relies on a trusted third-party authentication server (Kerberos Key Distribution Center or KDC) and uses symmetric key cryptography;

  • requires Kerberos client libraries to be installed and configured on the client and server machines;

  • offers strong security and is commonly used in enterprise environments;

  • requires a username and password for authentication.

Kerberos is a experimental API.

Be sure Bitbucket was started with proper configuration e.g.:

JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false"

Afterwards, you can specify a username and passwordin the authentication section of the configuration screen.

Configuration

Enabling Authentication option is available on all configuration levels during the webhook creation:

Global Configurations for Bitbucket admins

Project Level Configurations

Repository Level Configurations

  1. Find our application Post Webhooks on the level that suits your needs best: Global, Project, or Repository.

  2. Click on the Add webhook button in the left corner and create a new configuration.

  3. Tick the checkbox Enable Authentication

  4. Choose the Authentication type and enter credentials to authenticate requests.

  5. After you have specified the rest of the necessary parameters click on the Save button.

Updated:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.