Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 10.0.0, 9.6.3
Affects Version/s: 9.5.2, 9.6.2, 9.4.8
Component/s: Integration - Deployment
Labels:
None

Support reference count:
1
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

In the Bitbucket Data Center, there is an issue with the OAuth2.0 provider. When a user denies consent, the `state` parameter is missing in the callback. This violates RFC6749 section 4.1.2.1 and causes CSRF prevention and integration issues.

Steps to Reproduce

Setup Oauth2-based Application Link on Bitbucket DC
Initiate a Request from the OAuth Client App nd deny the Consent

Expected Results

The return callback reponse hsould also have the `state` parameter

Actual Results

It doesn't have the state parameter included when consent is denied; only the state is passed when the Consent is Approved or Allowed

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available

Assignee:: David Jansons

Reporter:: Danny Samuel

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 09/Jul/2025 8:01 AM

Updated:: 13/Jul/2025 10:01 AM

Resolved:: 09/Jul/2025 11:12 PM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Forms

Activity

People

Dates