Thread (5 messages) 5 messages, 4 authors, 2022-11-01

Re: [PATCH] Mention that password could be a personal access token.

From: Jeff King <hidden>
Date: 2022-10-27 20:22:01 

On Thu, Oct 27, 2022 at 10:40:13AM -0700, Junio C Hamano wrote:

"M Hickford via GitGitGadget" [off-list ref] writes:
quoted
 `password`::
 
-	The credential's password, if we are asking it to be stored.
+	The credential's password, if we are asking it to be stored. If the
+	host is a software forge, this could also be a personal access
+	token or OAuth access token.
Is this limited to software forge hosts?

Also, I wonder if the specific "it can be access token and not
password" is something worth adding.  If there were a service styled
after the good-old "anonymous ftp", it would expect the constant
string 'anonymous' as the "username", and would expect to see your
identity (e.g. 'mirth.hickford@gmail.com') as the "password".  The
point is that it does not matter what it is called on the end-user's
side, be it a password or access token or whatever.  It is what the
other end that provides the service wants to see after you claimed
who you are by providing "username", usually (but not necessarily)
in order to prove your claim.

So, I dunno.
FWIW, I had the same reaction. From the client perspective for https,
this is going over basic-auth, and it might be nice to just say so. But
of course the whole credential system is abstract, so it gets awkward.
We could probably say something like:

  The credential's password, if we are asking it to be stored. Note that
  this may not strictly be a traditional password, but rather any secret
  string which is used for authentication. For instance, Git's HTTP
  protocol will generally pass this using an Authorization header;
  depending on what the server is expecting this may be a password typed
  by the user, a personal access token, or some other opaque value.

Maybe that is getting too into the weeds. OTOH, anybody reading this far
into git-credential(1) is probably pretty technical. There may be a
better way of wording it, too. Another way of thinking about it that
it's basically any secret that is a single string, and not part of a
challenge/response protocol. I couldn't find a way to word that which
didn't end up more confusing, though. ;)

-Peff
Related discussions
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help