Preconfigure Git Credential Manager as instance-wide OAuth application #11007

New Issue

Closed

opened 2025-11-02 09:24:44 -06:00 by GiteaMirror · 11 comments

GiteaMirror commented 2025-11-02 09:24:44 -06:00

Owner

Copy Link

Originally created by @shyim on GitHub (Jun 10, 2023).

Feature Description

It would be really nice if there would be a instance-wide OAuth application only for the purpose of using it with the Git Credential Manager or git-credential-oauth. This would allow Git authentication just work without passwords, personal access tokens or SSH keys.

The OAuth client details for both helpers are redirect URI http://127.0.0.1/, only the client-id needs to be same between all instances.

There is also a similar request to Gitlab: https://gitlab.com/gitlab-org/gitlab/-/issues/374172

Screenshots

No response

Originally created by @shyim on GitHub (Jun 10, 2023). ### Feature Description It would be really nice if there would be a instance-wide OAuth application only for the purpose of using it with the [Git Credential Manager](https://github.com/git-ecosystem/git-credential-manager) or [git-credential-oauth](https://github.com/hickford/git-credential-oauth). This would allow Git authentication *just work* without passwords, personal access tokens or SSH keys. The OAuth client details for both helpers are redirect URI http://127.0.0.1/, only the client-id needs to be same between all instances. There is also a similar request to Gitlab: https://gitlab.com/gitlab-org/gitlab/-/issues/374172 ### Screenshots _No response_

GiteaMirror added the proposal/acceptedtype/proposaltype/feature labels 2025-11-02 09:24:44 -06:00

GiteaMirror closed this issue 2025-11-02 09:24:45 -06:00

GiteaMirror commented 2025-11-02 09:24:45 -06:00

Author

Owner

Copy Link

@denyskon commented on GitHub (Jul 2, 2023):

@hickford You seem to be the author of git-credential-oauth. If we tried to integrate it into Gitea, would a pre-registered OAuth application be enough for it to work? Would we need to implement something else?

@denyskon commented on GitHub (Jul 2, 2023): @hickford You seem to be the author of git-credential-oauth. If we tried to integrate it into Gitea, would a pre-registered OAuth application be enough for it to work? Would we need to implement something else?

GiteaMirror commented 2025-11-02 09:24:45 -06:00

Author

Owner

Copy Link

@hickford commented on GitHub (Jul 2, 2023):

@denyskon Two changes are necessary:

1. In a migration (pseudocode), insert an OAuth2Application record for git-credential-oauth. The client id must be the same on all instances.
2. So that git-credential-oauth can identify Gitea instances and select the appropriate configuration, change the 401 Unauthorized http header from Www-Authenticate: Basic realm="." to something like Www-Authenticate: Basic realm="Gitea"

@hickford commented on GitHub (Jul 2, 2023): @denyskon Two changes are necessary: 1. In a migration ([pseudocode](https://gitlab.com/gitlab-org/gitlab/-/issues/413809#note_1451710379)), insert an OAuth2Application record for git-credential-oauth. The client id must be the same on all instances. 2. So that git-credential-oauth can identify Gitea instances and select the appropriate configuration, change the 401 Unauthorized http header from `Www-Authenticate: Basic realm="."` to something like `Www-Authenticate: Basic realm="Gitea"`

GiteaMirror commented 2025-11-02 09:24:45 -06:00

Author

Owner

Copy Link

@hickford commented on GitHub (Jul 3, 2023):

@shyim @denyskon I sketched an implementation in #25653 but it has a problem: the OAuth2Application isn't created on first time install. Maybe there's a better alternative to using a migration. If you have any ideas how to fix, please have a go.

@hickford commented on GitHub (Jul 3, 2023): @shyim @denyskon I sketched an implementation in #25653 but it has a problem: the OAuth2Application isn't created on first time install. Maybe there's a better alternative to using a migration. If you have any ideas how to fix, please have a go.

GiteaMirror commented 2025-11-02 09:24:45 -06:00

Author

Owner

Copy Link

@denyskon commented on GitHub (Jul 3, 2023):

Thanks, I'll take a look tomorrow.

@denyskon commented on GitHub (Jul 3, 2023): Thanks, I'll take a look tomorrow.

GiteaMirror commented 2025-11-02 09:24:46 -06:00

Author

Owner

Copy Link

@hickford commented on GitHub (Jul 8, 2023):

An alternative approach could be to hard code the application in GetOAuth2ApplicationByClientID without database records. https://github.com/go-gitea/gitea/pull/25774

@hickford commented on GitHub (Jul 8, 2023): An alternative approach could be to hard code the application in GetOAuth2ApplicationByClientID without database records. https://github.com/go-gitea/gitea/pull/25774

GiteaMirror commented 2025-11-02 09:24:46 -06:00

Author

Owner

Copy Link

@hickford commented on GitHub (Jul 9, 2023):

@shyim @denyskon https://github.com/go-gitea/gitea/pull/25653 working, ready for review

@hickford commented on GitHub (Jul 9, 2023): @shyim @denyskon https://github.com/go-gitea/gitea/pull/25653 working, ready for review

GiteaMirror commented 2025-11-02 09:24:47 -06:00

Author

Owner

Copy Link

@hickford commented on GitHub (Jul 10, 2023):

Security wise, it would be prudent to fix https://github.com/go-gitea/gitea/issues/25061 and #25813 , because these would protect the preconfigured OAuth client from client impersonation, and limit its scope.

@hickford commented on GitHub (Jul 10, 2023): Security wise, it would be prudent to fix https://github.com/go-gitea/gitea/issues/25061 and #25813 , because these would protect the preconfigured OAuth client from client impersonation, and limit its scope.

GiteaMirror commented 2025-11-02 09:24:47 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Aug 10, 2023):

This has been resolved by #26291

@lunny commented on GitHub (Aug 10, 2023): This has been resolved by #26291

GiteaMirror commented 2025-11-02 09:24:47 -06:00

Author

Owner

Copy Link

@hickford commented on GitHub (Aug 10, 2023):

Released https://github.com/hickford/git-credential-oauth/releases/tag/v0.10.0 with universal Gitea support

Tested with https://try.gitea.io/

Requires both:

• Gitea 1.21 or greater
• Git 2.41 or greater

@hickford commented on GitHub (Aug 10, 2023): Released https://github.com/hickford/git-credential-oauth/releases/tag/v0.10.0 with universal Gitea support Tested with https://try.gitea.io/ Requires both: * Gitea 1.21 or greater * Git 2.41 or greater

GiteaMirror commented 2025-11-02 09:24:48 -06:00

Author

Owner

Copy Link

@denyskon commented on GitHub (Aug 10, 2023):

@hickford Thanks for that quick implementation! Is anything needed from Gitea's side to also make it happen for Git Credential Manager?

@denyskon commented on GitHub (Aug 10, 2023): @hickford Thanks for that quick implementation! Is anything needed from Gitea's side to also make it happen for Git Credential Manager?

GiteaMirror commented 2025-11-02 09:24:48 -06:00

Author

Owner

Copy Link

@hickford commented on GitHub (Aug 10, 2023):

Is anything needed from Gitea's side to also make it happen for Git Credential Manager?

@denyskon I don't think so. The implementation would be similar to 79a00fb737

@hickford commented on GitHub (Aug 10, 2023): > Is anything needed from Gitea's side to also make it happen for [Git Credential Manager](https://github.com/git-ecosystem/git-credential-manager)? @denyskon I don't think so. The implementation would be similar to https://github.com/hickford/git-credential-oauth/commit/79a00fb737159a6bbb245d0a42f94ce0c78d0957

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label proposal/accepted type/feature type/proposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#11007