{"id":16315379,"url":"https://github.com/hickford/git-credential-oauth","last_synced_at":"2026-01-06T12:10:19.928Z","repository":{"id":61629106,"uuid":"551557177","full_name":"hickford/git-credential-oauth","owner":"hickford","description":"A Git credential helper that securely authenticates to GitHub, GitLab and BitBucket using OAuth.","archived":false,"fork":false,"pushed_at":"2025-05-05T21:04:23.000Z","size":111,"stargazers_count":534,"open_issues_count":18,"forks_count":22,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-05-05T23:50:57.749Z","etag":null,"topics":["git","git-credential-helper","usable-security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hickford.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"hickford"}},"created_at":"2022-10-14T16:20:37.000Z","updated_at":"2025-05-05T21:01:39.000Z","dependencies_parsed_at":"2023-10-04T22:51:54.372Z","dependency_job_id":"4b8e2028-29ad-4b07-ae02-d9a0fdc95adc","html_url":"https://github.com/hickford/git-credential-oauth","commit_stats":{"total_commits":143,"total_committers":2,"mean_commits":71.5,"dds":0.006993006993006978,"last_synced_commit":"64517aa71d82fe12eee218238d85c713dafbf6ff"},"previous_names":[],"tags_count":36,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hickford%2Fgit-credential-oauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hickford%2Fgit-credential-oauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hickford%2Fgit-credential-oauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hickford%2Fgit-credential-oauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hickford","download_url":"https://codeload.github.com/hickford/git-credential-oauth/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254301432,"owners_count":22047904,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git","git-credential-helper","usable-security"],"created_at":"2024-10-10T21:57:18.778Z","updated_at":"2026-01-02T21:12:57.380Z","avatar_url":"https://github.com/hickford.png","language":"Go","funding_links":["https://github.com/sponsors/hickford"],"categories":[],"sub_categories":[],"readme":"git-credential-oauth\n====================\n\n*No more passwords! No more personal access tokens! No more SSH keys!*\n\ngit-credential-oauth is a Git credential helper that securely authenticates to GitHub, GitLab, BitBucket and Gerrit using [OAuth](https://datatracker.ietf.org/wg/oauth/about/).\n\nThe first time you authenticate, the helper opens a browser window to the host.\nSubsequent authentication within storage lifetime is non interactive.\n\n## Motivation\n\nGit assumes users can type a password from memory, but hosts such as GitHub no longer accept passwords without two-factor authentication.\nPersonal access tokens are easy enough to copy and paste but awkward to store securely.\n[git-credential-cache](https://git-scm.com/docs/git-credential-cache) works well for passwords but not personal access tokens because the token is lost when the cache expires.\nAll in all, the usability is so poor that the [most popular advice on StackOverflow](https://stackoverflow.com/a/35942890/284795) is to insecurely save credentials in plaintext!\n\nOAuth has multiple advantages over personal access tokens or SSH:\n\n| Advantage                                  | OAuth | Personal access token | SSH |\n|--------------------------------------------|-------|-----------------------|-----|\n| Clone public repo without setup            | ✔     | ✔                     | 🗙   |\n| Authenticate to popular hosts without setup| ✔     | 🗙                     | 🗙   |\n| Server authenticity verified automatically | ✔     | ✔                     | 🗙   |\n| Protections against token theft[^1] | [✔](https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html#name-refresh-token-protection)     | 🗙                     | *only if key has passphrase*   |\n\n[^1]: Scenario: an old disk backup is leaked.\n\n## Features by host\n\n| Host                | Preconfigured | OAuth             | OAuth device flow |\n|---------------------|---------------|-------------------|-------------------|\n| github.com          | ✔             | ✔                 | ✔                 |\n| GitHub Enterprise Server | 🗙        | ✔                 | ✔                 |\n| gitlab.com          | ✔             | ✔                 | ✔                 |\n| gitlab.example.com  | [🗙](https://gitlab.com/gitlab-org/gitlab/-/issues/374172)            | ✔                 | ✔                 |\n| gitea.example.com   | ✔             | ✔                 | [🗙](https://github.com/go-gitea/gitea/issues/27309)                 |\n| forgejo.example.com | ✔             | ✔                 | [🗙](https://codeberg.org/forgejo/forgejo/issues/4830) |\n| bitbucket.org       | ✔             | ✔                 | 🗙                 |\n| googlesource.com    | ✔             | ✔                 | [🗙](https://github.com/hickford/git-credential-oauth/issues/38) |\n\nOAuth device flow is useful for browserless systems.\n\n## Installation\n\n### All platforms\n\n**Download** binary from \u003chttps://github.com/hickford/git-credential-oauth/releases\u003e.\n\nThen test that Git can find the application:\n\n\tgit credential-oauth\n\nIf you have problems, make sure that the binary is [located in the path](https://superuser.com/a/284351/62691) and [is executable](https://askubuntu.com/a/229592/18504).\n\n### Linux\n\n[Several Linux distributions](https://repology.org/project/git-credential-oauth/versions) include a git-credential-oauth package including [Fedora](https://packages.fedoraproject.org/pkgs/git-credential-oauth/git-credential-oauth/), [Debian](https://tracker.debian.org/pkg/git-credential-oauth) and [Ubuntu](https://packages.ubuntu.com/noble/git-credential-oauth). Ubuntu users can also use PPA [hickford/git-credential-oauth](https://launchpad.net/~hickford/+archive/ubuntu/git-credential-oauth) to install the latest release. \n\n[![Packaging status](https://repology.org/badge/vertical-allrepos/git-credential-oauth.svg?exclude_unsupported=1\u0026header=)](https://repology.org/project/git-credential-oauth/versions)\n\n### macOS\n\n#### Homebrew\n\nmacOS users can install from [Homebrew](https://formulae.brew.sh/formula/git-credential-oauth#default):\n\n\tbrew install git-credential-oauth\n\t\n#### MacPorts\n\nmacOS users can alternatively install via [MacPorts](https://ports.macports.org/port/git-credential-oauth/):\n\n\tsudo port install git-credential-oauth\n\n### Windows\n\nInstall with [winget](https://learn.microsoft.com/en-us/windows/package-manager/winget/):\n\n    winget install hickford.git-credential-oauth\n\n### Go users\n\nGo users can install the latest release to `~/go/bin` with:\n\n\tgo install github.com/hickford/git-credential-oauth@latest\n\n## Configuration\n\nAs a convenience, you can run:\n\n```sh\ngit credential-oauth configure\n```\n\nThis uses the recommended config below.\n\n### How it works\n\nGit is cleverly designed to [support multiple credential helpers](https://git-scm.com/docs/gitcredentials#_custom_helpers). To fill credentials, Git calls each helper in turn until it has the information it needs. git-credential-oauth is a read-only credential-generating helper, designed to be configured in combination with a storage helper.\n\nTo configure together with [git-credential-cache](https://git-scm.com/docs/git-credential-cache):\n\n```sh\ngit config --global --unset-all credential.helper\ngit config --global --add credential.helper \"cache --timeout 21600\" # six hours\ngit config --global --add credential.helper oauth\n```\n\nYou may choose a different storage helper such as `osxkeychain`, `wincred` or `libsecret`, but git-credential-oauth must be configured last. This ensures Git checks for *stored* credentials before generating *new* credentials.\n\n**Windows users** are recommended to use storage helper `wincred`.\n\n### Manual config\n\nEdit your [global git config](https://git-scm.com/docs/git-config#FILES) `~/.gitconfig` to include the following lines:\n\n```ini\n[credential]\n\thelper = cache --timeout 21600\t# six hours\n\thelper = oauth\n```\n\n### Browserless systems\n\nOn systems without a web browser, set the `-device` flag to authenticate on another device using [OAuth device flow](https://www.rfc-editor.org/rfc/rfc8628). \n\n```ini\n[credential]\n\thelper = cache --timeout 21600\t# six hours\n\thelper = oauth -device\n```\n\nCurrently only GitHub and [GitLab](https://docs.gitlab.com/ee/api/oauth2.html#device-authorization-grant-flow) support this flow. See Gitea feature request [#27309](https://github.com/go-gitea/gitea/issues/27309).\n\n### Unconfiguration\n\nEdit `~/.gitconfig` manually, or run:\n\n\tgit config --global --unset-all credential.helper oauth\n\n## Custom hosts\n\n### GitLab\n\n\u003e [!TIP]\n\u003e Would you like universal GitLab support without configuration? Vote for [GitLab issue #374172](https://gitlab.com/gitlab-org/gitlab/-/issues/374172)!\n\nTo use with a custom host, eg. `gitlab.example.com`:\n\n1. [Register an OAuth application](https://docs.gitlab.com/ee/integration/oauth_provider.html#user-owned-applications) on the host.\n    * Browse to eg. https://gitlab.example.com/-/profile/applications.\n\t* \"Add new application\"\n\t* Specify name `git-credential-oauth`.\n\t* Specify redirect URI `http://127.0.0.1`.\n\t* Uncheck \"confidential\"\n\t* Select scopes \"read_repository\" and \"write_repository\".\n\t* \"Save application\".\n2. Adjust the config command below with the generated client id.\n3. Share the config command with colleagues so they can skip the registration step.\n\n```sh\ngit config --global credential.https://gitlab.example.com.oauthClientId \u003cCLIENTID\u003e\ngit config --global credential.https://gitlab.example.com.oauthScopes \"read_repository write_repository\"\ngit config --global credential.https://gitlab.example.com.oauthAuthURL /oauth/authorize\ngit config --global credential.https://gitlab.example.com.oauthTokenURL /oauth/token\ngit config --global credential.https://gitlab.example.com.oauthDeviceAuthURL /oauth/authorize_device\n```\n\n### Other\n\n1. Register an OAuth application.\n\t* Specify name `git-credential-oauth`\n\t* Specify redirect URI `http://127.0.0.1`.\n\t* Select scopes for read and write Git operations.\n2. Consult the documentation for OAuth scopes and URLs.\n2. Adjust the config commands below with the generated client id, OAuth scopes and relative URLs.\n3. Share the config commands with colleagues so they can skip the registration step.\n\n```sh\ngit config --global credential.https://code.example.com.oauthClientId \u003cCLIENTID\u003e\ngit config --global credential.https://code.example.com.oauthScopes \"read_repository write_repository\"\ngit config --global credential.https://code.example.com.oauthAuthURL /oauth/authorize\ngit config --global credential.https://code.example.com.oauthTokenURL /oauth/token\ngit config --global credential.https://code.example.com.oauthDeviceAuthURL /oauth/authorize_device\n```\n\n## Philosophy\n\n* Do one thing well, namely OAuth authentication.\n* Interoperate with other credential helpers.\n* [Contribute upstream](https://lore.kernel.org/git/?q=f%3Ahickford+s%3Acredential) to improve the ecosystem.\n\n## Comparison with Git Credential Manager\n\n[Git Credential Manager](https://github.com/GitCredentialManager/git-credential-manager) (GCM) is an excellent credential helper with broader functionality. However because it's developed in .NET, GCM is [prohibitively difficult for Linux distributions to package](https://github.com/dotnet/source-build/discussions/2960).\n\n|                | Git Credential Manager | git-credential-oauth |\n|----------------|------------------------|----------------------|\n| Cross platform | ✔                      | ✔                     |\n| Linux arm64 support            | 🗙               | ✔                            |\n| Packaged in Linux distributions               | 🗙            | ✔ ([many](https://repology.org/project/git-credential-oauth/versions)) |\n| Installation size (Linux) | [82 MB](https://github.com/git-ecosystem/git-credential-manager/issues/1212#issuecomment-1530304873) | 5 MB                 |\n| Installation size (Windows) | 4 MB | 5 MB                 |\n| Ships with Git for Windows | ✔ | 🗙 |\n| Credential storage | In built | Used together with any storage helper |\n| Development    | .NET                   | Go                   |\n| Lines of code | 40,000 | 500 |\n| Minimum HTTP requests | 1 | 0 |\n| Authentication to Azure DevOps | ✔ | 🗙 (try [git-credential-azure](https://github.com/hickford/git-credential-azure)) |\n| Hosts with default config | 4 | 14 |\n\nThe maintainer personally uses GCM on Windows and git-credential-oauth on Linux.\n\n## Troubleshooting\n\n1. List Git credential helpers `git config --get-all credential.helper`. At least one storage helper should preceed `oauth`.\n2. Check Git version `git --version` is at least 2.45. Older Git versions have [limited support for storing OAuth refresh tokens](https://github.com/hickford/git-credential-oauth/issues/20).\n3. Check git-credential-oauth version is [recent](https://github.com/hickford/git-credential-oauth/releases/).\n4. Check Git remote URL `git remote -v` does not contain a username.\n5. Test git-credential-oauth in verbose mode for *your specific host* `printf host=example.com\\nprotocol=https\\n | git-credential-oauth -verbose get`. Set any config keys suggested.\n\n### GitHub organizations\n\nSome GitHub organizations require users to manually request approval for the app:\n\n1. \u003chttps://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/requesting-organization-approval-for-oauth-apps\u003e\n2. \u003chttps://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization\u003e\n\n## Development\n\nInstall locally with `go install .`.\n\n### Debugging\n\nUse the `-verbose` flag to print more details:\n\n```sh\ngit config --global --unset-all credential.helper oauth\ngit config --global --add credential.helper \"oauth -verbose\"\n```\n\nYou can also test git-credential-oauth in isolation:\n\n```\necho host=gitlab.com\\nprotocol=https | git-credential-oauth -verbose get\n```\n\nYou can test configured helpers in combination with `git credential fill`, eg.\n\n```\necho url=https://gitlab.com | git credential fill\n```\n\nTo see which helpers Git calls, set `export GIT_TRACE=1`.\n\n## See also\n\n* [git-credential-azure](https://github.com/hickford/git-credential-azure): a Git credential manager that authenticates to Azure Repos\n* [Git Credential Manager](https://github.com/git-ecosystem/git-credential-manager)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhickford%2Fgit-credential-oauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhickford%2Fgit-credential-oauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhickford%2Fgit-credential-oauth/lists"}