From 4eef21cf3d3eac2bf508a18f3a971bb4ed8530d7 Mon Sep 17 00:00:00 2001
From: Mariusz Strzelecki <szczeles@gmail.com>
Date: Mon, 16 Mar 2020 12:39:12 +0100
Subject: [PATCH] Bitbucket Auth Provider docs (#447)

* Bitbucket Auth Provider docs

* Typo fixed
---
 docs/2_auth.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/docs/2_auth.md b/docs/2_auth.md
index cbf63805..34908c9a 100644
--- a/docs/2_auth.md
+++ b/docs/2_auth.md
@@ -23,6 +23,7 @@ Valid providers are :
 - [login.gov](#logingov-provider)
 - [Nextcloud](#nextcloud-provider)
 - [DigitalOcean](#digitalocean-auth-provider)
+- [Bitbucket](#bitbucket-auth-provider)
 
 The provider can be selected using the `provider` configuration value.
 
@@ -342,6 +343,27 @@ To use the provider, pass the following options:
 
  Alternatively, set the equivalent options in the config file. The redirect URL defaults to `https://<requested host header>/oauth2/callback`. If you need to change it, you can use the `--redirect-url` command-line option.
 
+### Bitbucket Auth Provider
+
+1. [Add a new OAuth consumer](https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html)
+    * In "Callback URL" use `https://<oauth2-proxy>/oauth2/callback`, substituting `<oauth2-proxy>` with the actual hostname that oauth2_proxy is running on.
+    * In Permissions section select:
+        * Account -> Email
+        * Team membership -> Read
+        * Repositories -> Read
+2. Note the Client ID and Client Secret.
+
+To use the provider, pass the following options:
+
+```
+   --provider=bitbucket
+   --client-id=<Client ID>
+   --client-secret=<Client Secret>
+```
+
+The default configuration allows everyone with Bitbucket account to authenticate. To restrict the access to the team members use additional configuration option: `--bitbucket-team=<Team name>`. To restrict the access to only these users who has access to one selected repository use `--bitbucket-repository=<Repository name>`.
+
+
 ## Email Authentication
 
 To authorize by email domain use `--email-domain=yourcompany.com`. To authorize individual email addresses use `--authenticated-emails-file=/path/to/file` with one email per line. To authorize all email addresses use `--email-domain=*`.