From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by dcvr.yhbt.net (Postfix) with ESMTP id E04C41F45A for ; Thu, 27 Oct 2022 20:22:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236873AbiJ0UWA (ORCPT ); Thu, 27 Oct 2022 16:22:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235514AbiJ0UV7 (ORCPT ); Thu, 27 Oct 2022 16:21:59 -0400 Received: from cloud.peff.net (cloud.peff.net [104.130.231.41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D3EB6F260 for ; Thu, 27 Oct 2022 13:21:58 -0700 (PDT) Received: (qmail 18005 invoked by uid 109); 27 Oct 2022 20:21:58 -0000 Received: from Unknown (HELO peff.net) (10.0.1.2) by cloud.peff.net (qpsmtpd/0.94) with ESMTP; Thu, 27 Oct 2022 20:21:58 +0000 Authentication-Results: cloud.peff.net; auth=none Received: (qmail 24370 invoked by uid 111); 27 Oct 2022 20:21:58 -0000 Received: from coredump.intra.peff.net (HELO sigill.intra.peff.net) (10.0.0.2) by peff.net (qpsmtpd/0.94) with (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS; Thu, 27 Oct 2022 16:21:58 -0400 Authentication-Results: peff.net; auth=none Date: Thu, 27 Oct 2022 16:21:57 -0400 From: Jeff King To: Junio C Hamano Cc: M Hickford via GitGitGadget , git@vger.kernel.org, M Hickford Subject: Re: [PATCH] Mention that password could be a personal access token. Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org On Thu, Oct 27, 2022 at 10:40:13AM -0700, Junio C Hamano wrote: > "M Hickford via GitGitGadget" writes: > > > `password`:: > > > > - The credential's password, if we are asking it to be stored. > > + The credential's password, if we are asking it to be stored. If the > > + host is a software forge, this could also be a personal access > > + token or OAuth access token. > > Is this limited to software forge hosts? > > Also, I wonder if the specific "it can be access token and not > password" is something worth adding. If there were a service styled > after the good-old "anonymous ftp", it would expect the constant > string 'anonymous' as the "username", and would expect to see your > identity (e.g. 'mirth.hickford@gmail.com') as the "password". The > point is that it does not matter what it is called on the end-user's > side, be it a password or access token or whatever. It is what the > other end that provides the service wants to see after you claimed > who you are by providing "username", usually (but not necessarily) > in order to prove your claim. > > So, I dunno. FWIW, I had the same reaction. From the client perspective for https, this is going over basic-auth, and it might be nice to just say so. But of course the whole credential system is abstract, so it gets awkward. We could probably say something like: The credential's password, if we are asking it to be stored. Note that this may not strictly be a traditional password, but rather any secret string which is used for authentication. For instance, Git's HTTP protocol will generally pass this using an Authorization header; depending on what the server is expecting this may be a password typed by the user, a personal access token, or some other opaque value. Maybe that is getting too into the weeds. OTOH, anybody reading this far into git-credential(1) is probably pretty technical. There may be a better way of wording it, too. Another way of thinking about it that it's basically any secret that is a single string, and not part of a challenge/response protocol. I couldn't find a way to word that which didn't end up more confusing, though. ;) -Peff