Call Bitbucket REST API using 2leg oauth token

Question

I am trying to call bitbucket's api using 2-legged oauth authentication.

I call

https://bitbucket.org/!api/1.0/oauth/request_token

with my oauth secret and key and get the following:

oauth_token_secret=<token_secret>&oauth_token=<token>&oauth_callback_confirmed=true

How can I use this to call an api function, such as

https://bitbucket.org/api/1.0/user 

Answer 1

After you have received accesstoken & secret, when you send the request add a (Authorization) Header as,

Authorization: OAuth oauth_consumer_key="<YourKey>",oauth_signature_method="HMAC-SHA1",oauth_timestamp="<TIMESTAMP>",oauth_nonce="2694561796",oauth_version="1.0",oauth_signature="<Signature>"

where,

TIMESTAMP= current epoch (ms) oauth_nonce random number

Important thing is oauth_signature

Read through here on how to generate,

Oauth 1.0 Signature

Signature has to be precalculated before sending the request. And this will do it.

To test it you can tryout it here, Apigee Bitbucket API Console

PS: Its weird that Bit Bucket uses OAuth 1.0, well known for its vulnerabilities.

Session Fixation Attack