From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: Johannes Schindelin <Johannes.Schindelin@gmx.de>,
"brian m. carlson" <sandals@crustytoothpaste.net>,
Christian Halstrick <christian.halstrick@gmail.com>,
Git <git@vger.kernel.org>
Subject: Re: OAuth2 support in git?
Date: Mon, 18 Jun 2018 08:53:27 -0700 [thread overview]
Message-ID: <xmqqo9g8xf9k.fsf@gitster-ct.c.googlers.com> (raw)
In-Reply-To: <20180618041713.GA31125@sigill.intra.peff.net> (Jeff King's message of "Mon, 18 Jun 2018 00:17:14 -0400")
Jeff King <peff@peff.net> writes:
> On Sun, Jun 17, 2018 at 01:37:24PM +0200, Johannes Schindelin wrote:
>
>> > If it's just a custom Authorization header, we should be able to support
>> > it with existing curl versions without _too_ much effort.
>>
>> Indeed. Because it is already implemented:
>>
>> git -c http.extraheader="Authorization: Bearer ..." ...
>>
>> To make this a *little* safer, you can use http.<URL>.extraheader.
>
> Yeah, that will work for some cases. A few places it might not:
>
> - some people may want to provide this only in response to a 401
>
> - some tokens may need to be refreshed, which would require interacting
> with a credential helper to do the rest of the oauth conversation
>
> - there's no good way to hide your token in secure storage (versus
> sticking it on the command-line or in a config file).
And all of these three are what you get for free by building on the
credential helper framework, after extending it a bit so that the
filled credential structure can tell the http code to show it to the
other side as a bearer token, not a password or password hash. The
helper is asked to supply the auth material only after 401, which
covers both the first and the second points, and then keeping the
auth material in-core (e.g. cache--daemon) would be more secure
which covers the third point. Am I following you correctly?
Thanks.
next prev parent reply other threads:[~2018-06-18 15:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-14 8:09 OAuth2 support in git? Christian Halstrick
2018-06-14 10:13 ` brian m. carlson
2018-06-14 15:15 ` Jeff King
2018-06-14 20:46 ` Randall S. Becker
2018-06-14 21:01 ` Jeff King
2018-06-14 22:20 ` brian m. carlson
2018-06-17 11:37 ` Johannes Schindelin
2018-06-18 4:17 ` Jeff King
2018-06-18 15:53 ` Junio C Hamano [this message]
2018-06-18 21:26 ` Jeff King
2018-06-19 12:36 ` Christian Halstrick
2018-06-19 16:45 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqo9g8xf9k.fsf@gitster-ct.c.googlers.com \
--to=gitster@pobox.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=christian.halstrick@gmail.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).