在不手动创建个人访问令牌 (PAT) 的情况下,Git 凭据管理器 (GCM) 如何工作?
我已经在网上搜索过,但没有找到明确的答案,所以也许这里有人可以帮助我理解。
总结问题
Git Credential Manager (GCM) 是安全存储凭据并通过 HTTPS 连接到 GitHub 的另一种方法。 使用 GCM,您无需手动创建和存储 PAT,因为 GCM 会代表您管理身份验证,包括 2FA(双因素身份验证)。
如果您没有 GitHub CLI 进行身份验证,则必须使用个人访问令牌进行身份验证。当 Git 提示您输入密码时,请输入您的个人访问令牌 (PAT)。 Git 的基于密码的身份验证已被删除,并且使用 PAT 更安全。有关详细信息,请参阅“创建个人访问令牌”。每次使用 Git 向 GitHub 进行身份验证时,系统都会提示您输入凭据以向 GitHub 进行身份验证,除非您将它们缓存到凭据助手中。
我对上面的粗体线非常感兴趣:
GCM(核心)如何代表我“管理”身份验证,而无需我手动创建 PAT?
我试图让问题简短而准确,但我会尝试在这里详细说明一下: 我尝试过使用适用于 Windows 的 GIT(最新版本)以及 VS 2022 附带的 GIT。两者都是最新的并使用最新版本的Credential Manager Core,这是GitHub 的新政策(自 2021 年起),不再允许 acc/pw,身份验证现在需要使用 PAT。 但是我想知道 GCM 实际上是如何神奇工作的,无需在 GitHub 设置中手动创建 PAT(请参阅链接)。从上述文章中,我强烈假设 Windows 凭据管理器拥有某种访问令牌(或者甚至可能是 acc/pw???)。我希望能找到一些关于这一点的澄清。
- acc/pw 是存储在 Windows 凭据管理器(以前称为 Vault)中还是令牌? - 如果不是由用户在 GitHub 中手动创建,令牌来自哪里(GitHub 上是否有由 GCM 调用的 api/webservice?如果是这样,为什么所有这些教程都指示手动添加 PAT?)我如何才能利用相同的功能???)
旁注:
我为验证 GIT 和 VS 所做的一切就是将 GitHub 帐户/密码添加到帐户部分的 VS 中。之后,我根本不需要输入用户名/密码或任何令牌。既不适用于命令行(便携式)GIT (git-bash),也不适用于 VS 包含的 GIT。
我已经检查了 Windows 凭据管理器密码,以验证它们是否确实是令牌或纯密码。确实有某种访问令牌(我的密码没有保存在那里)。但这只是我问题的一半。更有趣的部分实际上是,该令牌从哪里来以及如何从 GitHub 获取令牌而无需手动创建它们?!此外,该令牌的含义是什么(它是否过期,何时过期等等......)
我搜索了其他来源:
仅更多提及手动创建的 PAT...(与所要求的完全相反)
非常感谢大家!
I've scoured the web and have not found a clear answer, so maybe someone here can help me understand.
Summerizing the Question
Git Credential Manager (GCM) is another way to store your credentials securely and connect to GitHub over HTTPS. With GCM, you don't have to manually create and store a PAT, as GCM manages authentication on your behalf, including 2FA (two-factor authentication).
If you authenticate without GitHub CLI, you must authenticate with a personal access token. When Git prompts you for your password, enter your personal access token (PAT) instead. Password-based authentication for Git has been removed, and using a PAT is more secure. For more information, see "Creating a personal access token." Every time you use Git to authenticate with GitHub, you'll be prompted to enter your credentials to authenticate with GitHub, unless you cache them a credential helper.
I'm really interested in the bold line above:
How does the GCM (Core) "manage" the authentication on my behalf without me having to create a PAT manully?
I tried to keep the question short and precise, but I will try to elaborate here a bit:
I have tried to use GIT for Windows (newest Version) and also the GIT that ships with VS 2022. Both are up to date and use the newest Version of the Credential Manager Core, which is required for the new (since 2021) policy from GitHub, that acc/pw is not allowed anymore and authentication now needs to use PATs. However I'm wondering how the GCM actually magically works, without manually creating a PAT in the GitHub Settings (see links). From the mentioned articles, I strongly assume that the Windows Credential Manager holds some sort of Access Token (or maybe even acc/pw???). I hope to find some clarification about this.
-is the acc/pw stored or a token in the Windows Credential Manager (formerly aka Vault)?
-where is the token coming from, if not manually created by user in GitHub (is there api/webservice from GitHub that is called by the GCM maybe??? if so, why do all those tutorials instruct to add PATs manually??? how would I be able to leverage the same functionality???)
Sidenotes:
All I ever did to authenticate GIT and VS was adding the GitHub account/pw into VS in the account section. After that, I never needed to type in username/pw OR any token at all. Neither for command line (portable) GIT (git-bash) nor for the VS included GIT.
I've checked the Windows Credential Manager passwords, to verify if they are indeed tokens or plain passwords. There's indeed some kind of access token (my pw is not saved there). But that's only half of my question. The more interesting part is actually, where does that token come from and how to get tokens from GitHub without manually creating them?! Moreover, what are the implications of that token (does it expire, when and so on...)
Additional sources, I searched:
Creating a personal access token
Authenticate with GitHub using a token
Support for password authentication was removed. Please use a personal access token instead
Only more mentions of manually created PATs... (exactly the opposite, from what is asked)
Authenticate with GitHub using a token
Support for password authentication was removed. Please use a personal access token instead
How to do git commit using personal access token?
Git credential manager and manually created PAT
Using multiple git personal access tokens (PAT) with Credential Manager
Thanks a lot everybody!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
GitHub 个人访问令牌只是 GitHub OAuth 令牌的一个特例。我不记得当前的 GCM Core 实现是如何工作的,因为我认为它与 Core GCM 之前的实现相比已经发生了变化,但它基本上让您登录并执行某种 OAuth 流程来为您的帐户颁发令牌。无论这是实际的 PAT 还是不同类型的 OAuth 令牌都无关紧要,因为它们本质上是相同的。
GCM Core 可以将凭据存储在多个位置,包括系统凭据存储(根据操作系统的不同而有所不同)。一旦它们被存储,只要它们有效,Git 就会使用它们。
大多数教程建议您自己生成 PAT 的原因是,GCM Core 虽然可用于多个平台,但默认情况下不会在任何地方提供,除了作为 Windows 版 Git 的一部分。事实上,由于它是用 .NET 编写的,因此要使其在 macOS 和 Linux 上运行通常会有点麻烦,因此通常会使用其他凭据助手。有些人还在 Windows 上使用不同的凭据管理器。大多数编写教程的人都希望提出普遍适用的建议,因此建议 PAT 是让人们入门和运行的一种简单易行的方法。
如果您想做类似的事情来发行令牌,GitHub 提供了有关如何使用 OAuth 应用程序执行此操作的文档。如果您需要的话,这些令牌也可以用于访问 API,具体取决于用户授予的权限。
GitHub personal access tokens are just a special case of GitHub OAuth token. I don't remember exactly how the current GCM Core implementation works, since I think it has changed from the pre-Core GCM implementation, but it basically has you log in and does some sort of OAuth flow to issue a token for your account. Whether that's an actual PAT or a different kind of OAuth token is really irrelevant because they're essentially the same thing.
GCM Core can store credentials in a variety of places, including the system credential store (which differs depending on the operating system). Once they're stored, Git will use them as long as they're valid.
The reason most tutorials suggest generating a PAT yourself is because GCM Core, while available for multiple platforms, is not shipped by default anywhere except as part of Git for Windows. In fact, because it's written in .NET, it's usually a bit of a hassle to get it to work on macOS and Linux, and therefore other credential helpers are typically used instead. Some people also use different credential managers on Windows as well. Most people writing tutorials would like to suggest things which are generally applicable, and so suggesting a PAT is a simple and easy way to get folks up and running.
If you want to do a similar thing to issue tokens, GitHub provides documentation on how to do that with OAuth apps. These tokens, depending on the permissions that users have granted, can also be used to access the API if you need to do that.