From: M Hickford <mirth.hickford@gmail.com>
To: "brian m. carlson" <sandals@crustytoothpaste.net>,
M Hickford via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, peff@peff.net, msuchanek@suse.de,
lessleydennington@gmail.com, me@ttaylorr.com,
mjcheetham@github.com, M Hickford <mirth.hickford@gmail.com>
Subject: Re: [PATCH] doc: gitcredentials: introduce OAuth helpers
Date: Mon, 29 May 2023 10:50:18 +0100 [thread overview]
Message-ID: <CAGJzqskGMn9rJDmcC1_ctKV-ut90twK5=FoH9fyUiqKrq6EqFA@mail.gmail.com> (raw)
In-Reply-To: <ZHPa27fbAoKL0uGj@tapette.crustytoothpaste.net>
On Sun, 28 May 2023 at 23:51, brian m. carlson
<sandals@crustytoothpaste.net> wrote:
>
> On 2023-05-28 at 19:45:27, M Hickford via GitGitGadget wrote:
> > From: M Hickford <mirth.hickford@gmail.com>
> >
> > OAuth credential helpers are widely useful but work differently to other
> > credential helpers, so worth introducing in the docs.
> >
> > Link to relevant projects.
>
> There are many possible implementations of credential helpers, and I'd
> prefer we didn't specifically propose any of them here. We ship with
> some in contrib, and I think it would be better to fix them to be
> functional for this use case rather than link to external projects.
Thanks Brian for your reply. I'd love to upstream OAuth functionality
in Git, but I think it'd be prohibitively difficult technically without
introducing extra dependencies. git-credential-oauth is little more
than 100 lines of Go, but it takes advantage of Go's broad standard
library and a library for OAuth. I expect that would require tens of
thousands of lines of challenging C.
https://github.com/hickford/git-credential-oauth/issues/8
I think OAuth is such a boon for usable security that it's worth
describing and linking to external projects. The text aims to inform
the user rather than tell them to use a particular project. An
alternative would be to link to a new 'credential helpers' page on
git-scm.com
>
> I expect, however, that functionally, that will be difficult to do,
> given the fact that OAuth typically requires registration with the
> remote system, and thus we'd intrinsically be prioritizing some
> well-known forges over less-known or personally-hosted forges, which
> we've traditionally tried not to do. For example, your
In that spirit, the patch avoids naming "popular Git hosts".
> git-credential-oauth contains a hard-coded list of 11 forges (and also
> proposes adding credentials for new ones into the config, which isn't
> really a secure way to store secrets).
To clarify, it's expected that client credentials in OAuth native apps
(unlike web apps) are non-confidential. "It is assumed that any client
authentication credentials included in the application can be
extracted" https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
> --
> brian m. carlson (he/him or they/them)
> Toronto, Ontario, CA
next prev parent reply other threads:[~2023-05-29 9:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-28 19:45 [PATCH] doc: gitcredentials: introduce OAuth helpers M Hickford via GitGitGadget
2023-05-28 22:51 ` brian m. carlson
2023-05-29 9:50 ` M Hickford [this message]
2023-06-21 6:28 ` M Hickford
2023-06-21 7:30 ` [PATCH v2] doc: gitcredentials: link to helper list M Hickford via GitGitGadget
2023-06-27 8:21 ` Jeff King
2023-07-08 20:36 ` [PATCH v3] " M Hickford via GitGitGadget
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGJzqskGMn9rJDmcC1_ctKV-ut90twK5=FoH9fyUiqKrq6EqFA@mail.gmail.com' \
--to=mirth.hickford@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=lessleydennington@gmail.com \
--cc=me@ttaylorr.com \
--cc=mjcheetham@github.com \
--cc=msuchanek@suse.de \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).