Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GCM does not prompt for auth on first git call after PATs expire #1705

Open
whitneyschmidt opened this issue Sep 19, 2024 · 3 comments
Open
Labels
auth-issue An issue authenticating to a host

Comments

@whitneyschmidt
Copy link

whitneyschmidt commented Sep 19, 2024

Version

2.5.1+90d5f897f164a8fe07d2aa3bf7db439b0b4e03ea

Operating system

Windows

OS version or distribution

Windows 11

Git hosting provider(s)

Azure DevOps

Other hosting provider

No response

(Azure DevOps only) What format is your remote URL?

https://{org}.visualstudio.com

Can you access the remote repository directly in the browser?

Yes, I can access the repository

Expected behavior

GCM will prompt for auth on the first git.exe call after my PAT expires.

Actual behavior

GCM will not prompt for auth on the first git.exe call after my PAT expires, I am required to make a second git.exe call for GCM to prompt.

Image

Logs

No response

@whitneyschmidt whitneyschmidt added the auth-issue An issue authenticating to a host label Sep 19, 2024
@whitneyschmidt
Copy link
Author

My understanding is that this is a GCM limitation due to the way that git.exe handles expired PATs. Are there any plans to implement a fix or improvement for the issue, or recommendations for a workaround?

@whitneyschmidt
Copy link
Author

A bit more info:

Is there a workaround for needing to retry?
Yes, you can switch from using PATs to using OAuth by running the following command:

git config --global credential.azreposCredentialType oauth
I've validated that ^ switches to OAuth and eliminates the need to re-auth due to PATs expiring.

Why do PATs require re-trying the git.exe op? git will fail after the PAT has expired, but GCM doesn't have a way to know that it's expired without trying again. tldr; GCM implementation detail.

Will there be a fix that eliminates the need to retry to surface the GCM dialog? Git improvements to credential helper protocol would allow GCM to respond to an initial failure and get a second chance to retry/reauth.

Why does GCM default to PATs instead of OAuth?
PATs were the default before OAuth was supported by GCM. It also used to be the case that some very old versions of Git didn't support long tokens, but this is no longer the case.

What's the different between PATs and OAuth? Are the any drawbacks to switching to OAuth?

The main difference and complication with OAuth is that GCM would now maintain an identity -> resource mapping, whereas before the PAT was directly linked to the URL/resource. There are some edge cases or weird set ups with multiple user accounts or guests in a tenant that can confuse GCM, and haven’t been well tested.

cc @mjcheetham

@rwoll
Copy link

rwoll commented Dec 12, 2024

I'm facing a similar issue, but am not using PATs.

My first call to git fetch fails with:

fatal: Authentication failed for 'https://<redacted>.visualstudio.com/1ES/_git/<redacted>/'

But the subsequent invocation of git fetch triggers a re-auth flow (auto opens the browser, has me pick an account, completes) then completes the fetch.

This is what I have in my .gitconfig:

[credential]
	helper = 
	helper = /usr/local/share/gcm-core/git-credential-manager
[credential "https://dev.azure.com"]
	useHttpPath = true
$ git --version
git version 2.39.0
$ /usr/local/share/gcm-core/git-credential-manager --version
2.5.0+d34930736e131ad80e5690e5634ced1808aff3e2
macOS 15.1.1 (24B91)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auth-issue An issue authenticating to a host
Projects
None yet
Development

No branches or pull requests

2 participants