Bitbucket throws XSRF token validation failed error during OAuth connection
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
On attempting to establish an OAuth connection with Bitbucket, the following error is received after clicking the 'Accept' button:
Error Text
Welcome to Bitbucket
Xsrf token validation failedEnvironment
- Bitbucket Server/Data Center
- Third-party plugins have been installed
Diagnosis
On first being directed to Bitbucket, if you open Chrome Developer Tools (F12) → Network → authorize?oauth_callback... and review the Response Headers section, the following cookie should be getting set:
However - instead, the following cookies are the only ones present when the request is submitted to Bitbucket on hitting the 'approve' button:
"cookies": [
{
"name": "BITBUCKETSESSIONID",
"value": "REALLYLONGHEXADECIMALSTRING",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "_atl_bitbucket_remember_me",
"value": "ANOTHERREALLYLONGRANDOMSTRING",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "wit-announce-token",
"value": "REALLYLONGHEXADECIMALSTRING-BUT-THIS-TIME-WITH-DASHES",
"expires": null,
"httpOnly": false,
"secure": false
}
],Cause
The expected atl.xsrf.token cookie is not being set due to an installed third-party plugin that is removing the cookie or blocking it from being set in the first place.
In previously seen instances of this issue, the following plugins have resulted in this issue:
| Name | Vendor | Version | Plugin Key |
|---|---|---|---|
Announcer for Bitbucket | Wittified Atlassian Add-Ons (An Appfire Company) | 3.5 | com.wittified.atl-announcer-stash |
Solution
Attempt to disable the faulting plugin, and see if the issue can still be reproduced. If the issue is resolved, it's recommended to check the offending plugin to see if any upgrades are available, or to reach out to the support resources for this plugin listed on the Atlassian Marketplace.
If your team is unsure which plugin could be causing the issue, it's recommended to try enabling 'Safe Mode' and then to try reproducing the issue using the following steps:
Performing these steps will temporarily disable all user-installed plugins within the Bitbucket server instance
- Navigate to Administration > Add-ons > Manage add-ons.
- Click on the Enter safe mode link at the bottom of the page.
- Click on Enter safe mode when you are prompted to confirm the operation.
- Attempt to reproduce the issue in question.
- When finished, you can exit safe mode by clicking on Exit Safe Mode and restore the previous configuration back on the Manage add-ons page.