Preconfigure Git Credential Manager as instance-wide OAuth application (#374172) · Issues · GitLab.org / GitLab · GitLab (original) (raw)

Preconfigure Git Credential Manager as instance-wide OAuth application

OAuth credential helper Git Credential Manager (GCM) is a user-friendly Git authentication solution compatible with two-factor authentication. GCM is included in Git for Windows. It makes Git authentication just work without passwords, personal access tokens or SSH keys. This is useful to every Git user of every GitLab instance. Another OAuth credential helper is git-credential-oauth (included in Linux distributions).

The first time you authenticate, the helper opens the web browser and GitLab asks you to authorize the app. Subsequent authentication requires no interaction.

However GCM only supports gitlab.com out the box. To use with another instance requires manual setup on GitLab to register an OAuth application. Similarly git-credential-oauth only supports gitlab.com and some popular public instances including gitlab.gnome.org without manual configuration.

A huge improvement would be to preconfigure Git Credential Manager (and likewise git-credential-oauth) as an instance-wide application on all GitLab installs, with the same OAuth client id across instances. Then these helpers would work with all GitLab instances without manual configuration, a huge improvement in usable security.

The OAuth client details for both helpers are redirect URI http://127.0.0.1/ and scopes read_repository and write_repository. Both helpers are OAuth native apps. The app runs on the user's computer. There is no web app. GitLab users have to consent whenever authorizing an OAuth app (https://imgur.com/a/7RRUPES) which protects against client impersonation.

Security wise, GitLab asks for user consent on each public client authorization which protect against client impersonation.

(Update: having the same client secret across instances is not necessary, just client id)

Edited Jun 06, 2023 by M Hickford