Hi,
I’m using the miniOrange OAuth Client for Bitbucket to connect our keycloak as SSO. That works perfectly fine.
However, when using the Backdoor-URL, I can login with any password, if I enter a valid username.
The same happens, when I clone a repository or make any git-request from the commandshell. If I enter a valid username, I can provide any password (or even leave it blank) and gain access to the site.
That is a serious bug and security issue. I don’t have these problems with JIRA and Confluence, in which I use the miniOrange OAuth Clients for said apps, but the one for Bitbucket allows login without passwords using the backdoor or git via https.
Only if I disable the miniOrange OAuth Client, bitbucket checks the password correctly and works as intended, but with miniOrange enabled, the backdoor is wide open 🙁
– M
Maximilian Ataian
