Home > Enterprise >  How does Git Credential Manager (GCM) work without manually creating a Personal access tokens (PAT)?
How does Git Credential Manager (GCM) work without manually creating a Personal access tokens (PAT)?

Time:03-25

I've scoured the web and have not found a clear answer, so maybe someone here can help me understand.

Summerizing the Question

Git Credential Manager (GCM) is another way to store your credentials securely and connect to GitHub over HTTPS. With GCM, you don't have to manually create and store a PAT, as GCM manages authentication on your behalf, including 2FA (two-factor authentication).

If you authenticate without GitHub CLI, you must authenticate with a personal access token. When Git prompts you for your password, enter your personal access token (PAT) instead. Password-based authentication for Git has been removed, and using a PAT is more secure. For more information, see "Creating a personal access token." Every time you use Git to authenticate with GitHub, you'll be prompted to enter your credentials to authenticate with GitHub, unless you cache them a credential helper.

I'm really interested in the bold line above:

How does the GCM (Core) "manage" the authentication on my behalf without me having to create a PAT manully?

I tried to keep the question short and precise, but I will try to elaborate here a bit: I have tried to use GIT for Windows (newest Version) and also the GIT that ships with VS 2022. Both are up to date and use the newest Version of the Credential Manager Core, which is required for the new (since 2021) policy from GitHub, that acc/pw is not allowed anymore and authentication now needs to use PATs. However I'm wondering how the GCM actually magically works, without manually creating a PAT in the GitHub Settings (see links). From the mentioned articles, I strongly assume that the Windows Credential Manager holds some sort of Access Token (or maybe even acc/pw???). I hope to find some clarification about this.

-is the acc/pw stored or a token in the Windows Credential Manager (formerly aka Vault)? -where is the token coming from, if not manually created by user in GitHub (is there api/webservice from GitHub that is called by the GCM maybe??? if so, why do all those tutorials instruct to add PATs manually??? how would I be able to leverage the same functionality???)

Sidenotes:

  • All I ever did to authenticate GIT and VS was adding the GitHub account/pw into VS in the account section. After that, I never needed to type in username/pw OR any token at all. Neither for command line (portable) GIT (git-bash) nor for the VS included GIT.

  • I've checked the Windows Credential Manager passwords, to verify if they are indeed tokens or plain passwords. There's indeed some kind of access token (my pw is not saved there). But that's only half of my question. The more interesting part is actually, where does that token come from and how to get tokens from GitHub without manually creating them?! Moreover, what are the implications of that token (does it expire, when and so on...)

Additional sources, I searched:

Creating a personal access token

Authenticate with GitHub using a token

Support for password authentication was removed. Please use a personal access token instead

Only more mentions of manually created PATs... (exactly the opposite, from what is asked)

Authenticate with GitHub using a token

Support for password authentication was removed. Please use a personal access token instead

How to do git commit using personal access token?

Git credential manager and manually created PAT

Using multiple git personal access tokens (PAT) with Credential Manager

Thanks a lot everybody!

CodePudding user response:

GitHub personal access tokens are just a special case of GitHub OAuth token. I don't remember exactly how the current GCM Core implementation works, since I think it has changed from the pre-Core GCM implementation, but it basically has you log in and does some sort of OAuth flow to issue a token for your account. Whether that's an actual PAT or a different kind of OAuth token is really irrelevant because they're essentially the same thing.

GCM Core can store credentials in a variety of places, including the system credential store (which differs depending on the operating system). Once they're stored, Git will use them as long as they're valid.

The reason most tutorials suggest generating a PAT yourself is because GCM Core, while available for multiple platforms, is not shipped by default anywhere except as part of Git for Windows. In fact, because it's written in .NET, it's usually a bit of a hassle to get it to work on macOS and Linux, and therefore other credential helpers are typically used instead. Some people also use different credential managers on Windows as well. Most people writing tutorials would like to suggest things which are generally applicable, and so suggesting a PAT is a simple and easy way to get folks up and running.

If you want to do a similar thing to issue tokens, GitHub provides documentation on how to do that with OAuth apps. These tokens, depending on the permissions that users have granted, can also be used to access the API if you need to do that.

  • Related