2012-06-24 11:39:59 +00:00
|
|
|
git-credential(1)
|
|
|
|
=================
|
|
|
|
|
|
|
|
NAME
|
|
|
|
----
|
2012-08-08 07:58:27 +00:00
|
|
|
git-credential - Retrieve and store user credentials
|
2012-06-24 11:39:59 +00:00
|
|
|
|
|
|
|
SYNOPSIS
|
|
|
|
--------
|
|
|
|
------------------
|
2021-10-28 16:21:56 +00:00
|
|
|
'git credential' (fill|approve|reject)
|
2012-06-24 11:39:59 +00:00
|
|
|
------------------
|
|
|
|
|
|
|
|
DESCRIPTION
|
|
|
|
-----------
|
|
|
|
|
|
|
|
Git has an internal interface for storing and retrieving credentials
|
|
|
|
from system-specific helpers, as well as prompting the user for
|
|
|
|
usernames and passwords. The git-credential command exposes this
|
|
|
|
interface to scripts which may want to retrieve, store, or prompt for
|
2013-01-21 19:17:53 +00:00
|
|
|
credentials in the same manner as Git. The design of this scriptable
|
2019-11-17 21:04:53 +00:00
|
|
|
interface models the internal C API; see credential.h for more
|
2012-06-24 11:39:59 +00:00
|
|
|
background on the concepts.
|
|
|
|
|
|
|
|
git-credential takes an "action" option on the command-line (one of
|
|
|
|
`fill`, `approve`, or `reject`) and reads a credential description
|
|
|
|
on stdin (see <<IOFMT,INPUT/OUTPUT FORMAT>>).
|
|
|
|
|
|
|
|
If the action is `fill`, git-credential will attempt to add "username"
|
|
|
|
and "password" attributes to the description by reading config files,
|
|
|
|
by contacting any configured credential helpers, or by prompting the
|
|
|
|
user. The username and password attributes of the credential
|
|
|
|
description are then printed to stdout together with the attributes
|
|
|
|
already provided.
|
|
|
|
|
|
|
|
If the action is `approve`, git-credential will send the description
|
|
|
|
to any configured credential helpers, which may store the credential
|
|
|
|
for later use.
|
|
|
|
|
|
|
|
If the action is `reject`, git-credential will send the description to
|
|
|
|
any configured credential helpers, which may erase any stored
|
2023-06-15 19:19:33 +00:00
|
|
|
credentials matching the description.
|
2012-06-24 11:39:59 +00:00
|
|
|
|
|
|
|
If the action is `approve` or `reject`, no output should be emitted.
|
|
|
|
|
|
|
|
TYPICAL USE OF GIT CREDENTIAL
|
|
|
|
-----------------------------
|
|
|
|
|
|
|
|
An application using git-credential will typically use `git
|
|
|
|
credential` following these steps:
|
|
|
|
|
|
|
|
1. Generate a credential description based on the context.
|
|
|
|
+
|
|
|
|
For example, if we want a password for
|
|
|
|
`https://example.com/foo.git`, we might generate the following
|
|
|
|
credential description (don't forget the blank line at the end; it
|
|
|
|
tells `git credential` that the application finished feeding all the
|
2013-04-11 22:36:10 +00:00
|
|
|
information it has):
|
2012-06-24 11:39:59 +00:00
|
|
|
|
|
|
|
protocol=https
|
|
|
|
host=example.com
|
|
|
|
path=foo.git
|
|
|
|
|
|
|
|
2. Ask git-credential to give us a username and password for this
|
|
|
|
description. This is done by running `git credential fill`,
|
2012-06-24 11:40:00 +00:00
|
|
|
feeding the description from step (1) to its standard input. The complete
|
|
|
|
credential description (including the credential per se, i.e. the
|
|
|
|
login and password) will be produced on standard output, like:
|
2012-06-24 11:39:59 +00:00
|
|
|
|
2012-06-24 11:40:00 +00:00
|
|
|
protocol=https
|
|
|
|
host=example.com
|
2012-06-24 11:39:59 +00:00
|
|
|
username=bob
|
|
|
|
password=secr3t
|
|
|
|
+
|
2012-06-24 11:40:00 +00:00
|
|
|
In most cases, this means the attributes given in the input will be
|
2013-01-21 19:17:53 +00:00
|
|
|
repeated in the output, but Git may also modify the credential
|
2012-06-24 11:40:00 +00:00
|
|
|
description, for example by removing the `path` attribute when the
|
|
|
|
protocol is HTTP(s) and `credential.useHttpPath` is false.
|
|
|
|
+
|
2012-06-24 11:39:59 +00:00
|
|
|
If the `git credential` knew about the password, this step may
|
|
|
|
not have involved the user actually typing this password (the
|
|
|
|
user may have typed a password to unlock the keychain instead,
|
|
|
|
or no user interaction was done if the keychain was already
|
|
|
|
unlocked) before it returned `password=secr3t`.
|
|
|
|
|
|
|
|
3. Use the credential (e.g., access the URL with the username and
|
|
|
|
password from step (2)), and see if it's accepted.
|
|
|
|
|
|
|
|
4. Report on the success or failure of the password. If the
|
|
|
|
credential allowed the operation to complete successfully, then
|
|
|
|
it can be marked with an "approve" action to tell `git
|
|
|
|
credential` to reuse it in its next invocation. If the credential
|
|
|
|
was rejected during the operation, use the "reject" action so
|
|
|
|
that `git credential` will ask for a new password in its next
|
|
|
|
invocation. In either case, `git credential` should be fed with
|
2012-06-24 11:40:00 +00:00
|
|
|
the credential description obtained from step (2) (which also
|
2023-10-08 06:45:03 +00:00
|
|
|
contains the fields provided in step (1)).
|
2012-06-24 11:39:59 +00:00
|
|
|
|
|
|
|
[[IOFMT]]
|
|
|
|
INPUT/OUTPUT FORMAT
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
`git credential` reads and/or writes (depending on the action used)
|
2012-07-18 12:04:02 +00:00
|
|
|
credential information in its standard input/output. This information
|
2012-06-24 11:39:59 +00:00
|
|
|
can correspond either to keys for which `git credential` will obtain
|
2020-05-06 21:47:26 +00:00
|
|
|
the login information (e.g. host, protocol, path), or to the actual
|
|
|
|
credential data to be obtained (username/password).
|
2012-06-24 11:39:59 +00:00
|
|
|
|
2012-07-18 12:04:02 +00:00
|
|
|
The credential is split into a set of named attributes, with one
|
2020-05-06 21:47:26 +00:00
|
|
|
attribute per line. Each attribute is specified by a key-value pair,
|
|
|
|
separated by an `=` (equals) sign, followed by a newline.
|
|
|
|
|
|
|
|
The key may contain any bytes except `=`, newline, or NUL. The value may
|
|
|
|
contain any bytes except newline or NUL.
|
|
|
|
|
2023-02-27 17:20:20 +00:00
|
|
|
Attributes with keys that end with C-style array brackets `[]` can have
|
|
|
|
multiple values. Each instance of a multi-valued attribute forms an
|
|
|
|
ordered list of values - the order of the repeated attributes defines
|
|
|
|
the order of the values. An empty multi-valued attribute (`key[]=\n`)
|
|
|
|
acts to clear any previous entries and reset the list.
|
|
|
|
|
|
|
|
In all cases, all bytes are treated as-is (i.e., there is no quoting,
|
2012-06-24 11:39:59 +00:00
|
|
|
and one cannot transmit a value with newline or NUL in it). The list of
|
|
|
|
attributes is terminated by a blank line or end-of-file.
|
2020-05-06 21:47:26 +00:00
|
|
|
|
2012-07-18 12:04:02 +00:00
|
|
|
Git understands the following attributes:
|
2012-06-24 11:39:59 +00:00
|
|
|
|
|
|
|
`protocol`::
|
|
|
|
|
|
|
|
The protocol over which the credential will be used (e.g.,
|
|
|
|
`https`).
|
|
|
|
|
|
|
|
`host`::
|
|
|
|
|
2020-05-06 21:47:26 +00:00
|
|
|
The remote hostname for a network credential. This includes
|
|
|
|
the port number if one was specified (e.g., "example.com:8088").
|
2012-06-24 11:39:59 +00:00
|
|
|
|
|
|
|
`path`::
|
|
|
|
|
|
|
|
The path with which the credential will be used. E.g., for
|
|
|
|
accessing a remote https repository, this will be the
|
|
|
|
repository's path on the server.
|
|
|
|
|
|
|
|
`username`::
|
|
|
|
|
|
|
|
The credential's username, if we already have one (e.g., from a
|
2020-05-06 21:47:26 +00:00
|
|
|
URL, the configuration, the user, or from a previously run helper).
|
2012-06-24 11:39:59 +00:00
|
|
|
|
|
|
|
`password`::
|
|
|
|
|
|
|
|
The credential's password, if we are asking it to be stored.
|
2012-07-18 12:06:26 +00:00
|
|
|
|
credential: new attribute password_expiry_utc
Some passwords have an expiry date known at generation. This may be
years away for a personal access token or hours for an OAuth access
token.
When multiple credential helpers are configured, `credential fill` tries
each helper in turn until it has a username and password, returning
early. If Git authentication succeeds, `credential approve`
stores the successful credential in all helpers. If authentication
fails, `credential reject` erases matching credentials in all helpers.
Helpers implement corresponding operations: get, store, erase.
The credential protocol has no expiry attribute, so helpers cannot
store expiry information. Even if a helper returned an improvised
expiry attribute, git credential discards unrecognised attributes
between operations and between helpers.
This is a particular issue when a storage helper and a
credential-generating helper are configured together:
[credential]
helper = storage # eg. cache or osxkeychain
helper = generate # eg. oauth
`credential approve` stores the generated credential in both helpers
without expiry information. Later `credential fill` may return an
expired credential from storage. There is no workaround, no matter how
clever the second helper. The user sees authentication fail (a retry
will succeed).
Introduce a password expiry attribute. In `credential fill`, ignore
expired passwords and continue to query subsequent helpers.
In the example above, `credential fill` ignores the expired password
and a fresh credential is generated. If authentication succeeds,
`credential approve` replaces the expired password in storage.
If authentication fails, the expired credential is erased by
`credential reject`. It is unnecessary but harmless for storage
helpers to self prune expired credentials.
Add support for the new attribute to credential-cache.
Eventually, I hope to see support in other popular storage helpers.
Example usage in a credential-generating helper
https://github.com/hickford/git-credential-oauth/pull/16
Signed-off-by: M Hickford <mirth.hickford@gmail.com>
Reviewed-by: Calvin Wan <calvinwan@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2023-02-18 06:32:57 +00:00
|
|
|
`password_expiry_utc`::
|
|
|
|
|
|
|
|
Generated passwords such as an OAuth access token may have an expiry date.
|
|
|
|
When reading credentials from helpers, `git credential fill` ignores expired
|
|
|
|
passwords. Represented as Unix time UTC, seconds since 1970.
|
|
|
|
|
2023-04-21 09:47:59 +00:00
|
|
|
`oauth_refresh_token`::
|
|
|
|
|
|
|
|
An OAuth refresh token may accompany a password that is an OAuth access
|
|
|
|
token. Helpers must treat this attribute as confidential like the password
|
|
|
|
attribute. Git itself has no special behaviour for this attribute.
|
|
|
|
|
2012-07-18 12:06:26 +00:00
|
|
|
`url`::
|
|
|
|
|
|
|
|
When this special attribute is read by `git credential`, the
|
|
|
|
value is parsed as a URL and treated as if its constituent parts
|
|
|
|
were read (e.g., `url=https://example.com` would behave as if
|
|
|
|
`protocol=https` and `host=example.com` had been provided). This
|
2020-05-06 21:47:26 +00:00
|
|
|
can help callers avoid parsing URLs themselves.
|
2020-05-17 18:52:20 +00:00
|
|
|
+
|
|
|
|
Note that specifying a protocol is mandatory and if the URL
|
|
|
|
doesn't specify a hostname (e.g., "cert:///path/to/file") the
|
|
|
|
credential will contain a hostname attribute whose value is an
|
|
|
|
empty string.
|
|
|
|
+
|
|
|
|
Components which are missing from the URL (e.g., there is no
|
|
|
|
username in the example above) will be left unset.
|
2021-04-09 15:02:48 +00:00
|
|
|
|
2023-02-27 17:20:20 +00:00
|
|
|
`wwwauth[]`::
|
|
|
|
|
|
|
|
When an HTTP response is received by Git that includes one or more
|
|
|
|
'WWW-Authenticate' authentication headers, these will be passed by Git
|
|
|
|
to credential helpers.
|
|
|
|
+
|
|
|
|
Each 'WWW-Authenticate' header value is passed as a multi-valued
|
|
|
|
attribute 'wwwauth[]', where the order of the attributes is the same as
|
|
|
|
they appear in the HTTP response. This attribute is 'one-way' from Git
|
|
|
|
to pass additional information to credential helpers.
|
|
|
|
|
2022-10-24 07:57:48 +00:00
|
|
|
Unrecognised attributes are silently discarded.
|
|
|
|
|
2021-04-09 15:02:48 +00:00
|
|
|
GIT
|
|
|
|
---
|
|
|
|
Part of the linkgit:git[1] suite
|