Don’t use BitBucket – broken OpenID authentication

We’re starting a new client project, and the client uses Mercurial exclusively, all through BitBucket.

BitBucket has a stupid user-accounts system, that demands you invent a globally-unique username. Oh dear lord – how amateurish are you guys?

Aha! BUT! … they have a (very subtle) link to let you use OpenID instead. Phew! My day is saved – I don’t have to be “dodgy-69-sucker-11111″ just in a desperate attempt to work around a naive website architect.

OpenID FAIL

Except … once you’ve sacrificed your private account details to Atlassian, they … don’t allow you to login. It reports “success” but tells you that you’re not allowed to use OpenID to access the site, you STILL have to create a non-OpenID account, using a globally unique ID.

I’m sure they’re doing “something” with OpenID, but I get the impression that the folks at BitBucket don’t grok what most of the world is using it for…

How do I take back my Identity, you fraudsters?

Well, Atlassian won’t help you there.

Fortunately, Google did…

Google’s UI designers FTW

I used Google as my OpenID source this time around. And, *fortunately*, Google’s process for de-authorizing a website is very simple.

I usually assume Google’s UI is great, and I usually only blog about it when it fails badly, but here’s an example where it works beautifully.

(hint: there’s a shortcut – but Google might change the link in future. You can go directly to: https://www.google.com/accounts/IssuedAuthSubTokens)

Just go to your account page (https://www.google.com/accounts/), and *right at the top of the page* (thanks, Google!) is a link to all your authorized websites – it’s in a big white space on it’s own, VERY easy to find.

8 thoughts on “Don’t use BitBucket – broken OpenID authentication

  1. Alastair Pitts

    I noticed this.

    I think the main reason for the unique username/password is for the SSL when using TortoiseHg or something like that. I personally had already revoked access after I had to create the login.

    Your headline is a little inflammatory isn’t it? Surely it would be more reasonable to alert people to this rather than flat out tell people not to use BitBucket.

  2. adam Post author

    If they’re getting something as fundamental as OpenID wrong – and there are great alternatives out there (Mercurial is nothing special, has direct competiors, as does BB) – why bother using them?

    If you’re entrusting your source code to an external entity, you need to have faith in them. Unexplained strange happenings in the login system are a really bad starting point.

    Or … to put it another way … my experience over the last decade or so is that when a vendor can’t get a fundamental part of their system working appropriately, it usually means there’s something deeply flawed in their architecture – or their company (sometimes it’s meant that they’ve recently lost half their engineers, hired away to a better competitor) – and continuing with that vendor has tended to be a decision we bitterly regretted later.

  3. adam Post author

    Incidentally, I reported this to them.

    They thanked me, ignored the isssue, and said “if there’s anything we can help with in future, please get in touch”.

    i.e. “go away, we don’t care”.

    Given they’re owned by Atlassian, I would *guess* that BB currently is focussed on large customers. There’s nothing wrong with that – but it’s a bad sign for individuals and small companies, i.e. typical readers of this blog :)

  4. Justen Stepka

    @adam

    i.e. “go away, we don’t care”. — for sure we care about users and their feedback. Feedback from users is how we’re shaping the roadmap to improve Bitbucket.

    You should be able to login using your OpenID provider without having to use a username after your initial authentication. Recently we upgraded the authentication from to remember your preference for OpenID.

    Alastair is correct in his assumption that we ask users to create usernames for the purpose giving users a place to store their code on a unique URL. The username is also useful for clients like TortoiseHg and the HTTP method of pushing code to Bitbucket.

    Having to pick a username is a pretty common implementation approach. If you check out the Simple Registration Extension to OpenID (http://openid.net/specs/openid-simple-registration-extension-1_0.html), the first attribute often passed on from the provider is a standard username.

    Cheers,

    Justen Stepka
    Bitbucket Product Manager

  5. adam Post author

    @Justen – Thanks. NB: I’ve had no further response from the “official” channels – maybe they were waiting until next week to give a “real” response? Maybe (I hold out hope). On the balance of probability, I sadly don’t think so – the response looked exactly like the form-letter dismissals we see from every company (and which some of my previous employers have used). If I hadn’t blogged about it, I suspect it would have vanished.

    When I tried to use the site, it wouldn’t let me – it just kept giving me this “you need to register a username, password, and email address” screen. Those three things are precisely why I use OpenID – I don’t need to do ANY of them with OpenID. I regularly use 5-10 OpenID sites, and NONE of them have asked for this data – they all took it automatically.

    Finally, if the username is about generating unique URL’s, then you should TELL people this up front (since they’ll be stuck with it). Even then, why force them to do this before they can user the site? Why not let them make that decision at publish-time? or as a separate account setting? I’m assuming it doesn’t HAVE to be the same as the magic username – or is your webserver DB unable to have arbitrary URL’s mapped to arbitrary users?

  6. OwhyOwhyDoISubscribeToThisRss

    I have to agree with Alastair Pitts about your whore grabbing headline :(

  7. Jason

    “Finally, if the username is about generating unique URL’s, then you should TELL people this up front ”

    Are you an idiot? If you’ve used BitBucket or GitHub or frankly, any website that gives you an identifying url, you’d realize this was standard practice and expected. Does WordPress.com let you start a blog and then later set the name for it ? No. The internet is based on unique URLs and this is no exception.

    Take your imflammatory headline and trolling and leave the internets please.

  8. adam Post author

    @Jason

    You picked a site whose apparent purpose is “to give you your own URL for a blog”, and that immediately asks you for the name of your blog.

    You’re comparing that to a site whose apparent purpose is “to edit and view source code for multiple projects, both public and private”.

    They are completely different things.

    Anyway … even the BitBucket product manager who posted here claims it *should not* be doing what it’s doing right now. So, yes, I stand by the claim it’s got broken auth :).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current month ye@r day *