-
Type:
Suggestion
-
Resolution: Unresolved
-
Component/s: Pipelines - OpenID Connect
-
None
-
1
Bitbucket Pipelines publishes the following OIDC discovery metadata:
{ "authorization_endpoint": "urn:bitbucket_cloud:programmatic_authorization", "issuer": "https://api.bitbucket.org/2.0/workspaces/<workspace>/pipelines-config/identity/oidc", "jwks_uri": "https://api.bitbucket.org/2.0/workspaces/<workspace>/pipelines-config/identity/oidc/keys.json" }
The value of authorization_endpoint is a URN instead of an HTTPS URL.
Some identity providers, such as SAP Cloud Identity Services (IAS), validate the OIDC discovery document during provider registration. According to the SAP documentation, authorization_endpoint is optional, but if present it must be a valid HTTPS URI. As a result, SAP IAS rejects Bitbucket's OIDC metadata during registration.
Since Bitbucket Pipelines OIDC is intended for workload identity rather than interactive user authentication, it would be beneficial to improve interoperability by either:
- Removing authorization_endpoint from the discovery document, or
- Replacing it with a standards-compliant HTTPS endpoint.
This would improve compatibility with standards-compliant OIDC consumers such as SAP Cloud Identity Services while preserving the existing Bitbucket Pipelines OIDC functionality