Change redirect URI from localhost to 127.0.0.1 #594
Comments
|
NB. This would require changing the redirect URI in the OAuth app settings on GitHub etc. https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps#redirect-urls Since GitHub allows at most one URI, I can't see how to do this in a backwards compatible way. |
You are sadly correct here. I was made aware that we should probably be using the loopback IP address rather than The only other option (in lieu of GitHub adding support for multiple redirect URIs) is to create a new OAuth app with the new redirect URI.. however this just adds more complexity to the management and consent of two separate applications. |
mjcheetham
added
host:github
|
For GitHub, instead of redirecting back to either The benefits are that the completed browser flow does not have to redirect to any particular URL (and thus GCM doesn't have to spawn a web server at localhost), and the user is able to complete the browser flow on a different machine (e.g. on their smartphone) than the one where GCM is running as a process. |
|
@mislav GCM already supports OAuth Device Authorization Grant for GitHub, This works great on my headless Rapberry Pi: If you can't see the option, you could try forcing it with preference credential.gitHubAuthModes. |
|
@hickford Thanks for the info! I was able to opt into Device flow by doing this: My next question is, why hasn't GCM auto-detected this when authorizing a git operation from |
|
@mislav what version are you using? Update to https://github.com/GitCredentialManager/git-credential-manager/releases/tag/v2.0.567 or later to get #478 "Add explicit GitHub device code authentication option" My Raspberry Pi has an older version "2.0.498+7ad55fb809" hence 'device code' isn't shown as a separate option. |
|
@hickford I have 2.0.632+478753bbb7 and I do see that my version supports the explicit option of choosing Device flow (as per my previous comment). At the risk of derailing the original topic in this thread, my question is whether I should expect that Device flow is auto-detected as a default authentication method for GitHub.com when nothing is set as |
|
@mislav Good idea. With a recent version on a desktop machine I get the following choice: Whether you see the 'web browser' option depends on the DISPLAY environment variable https://github.com/GitCredentialManager/git-credential-manager/blob/main/src/shared/Core/Interop/Posix/PosixSessionManager.cs |
Ah, I see! DISPLAY isn't set for me on macOS, where I would guess that this variable is never set by default. Nevertheless, I think that maybe GCM could assume that macOS always has desktop capability, since it should be pretty uncommon that developers run macOS in headless mode. Going back to the original topic: in GitHub CLI, which also used to authorize over OAuth web application flow, we've migrated from However, it's even a better idea to default to device flow whenever possible instead of the web application flow. That's why I was talking so much about device flow in this thread; sure, you could spend time improving the HTTP redirect experience, but a much better long-term solution is to avoid the local server redirect altogether. |
GCM is detecting this is GitHub.com and should be presenting all possible auth options available (interactive via browser, manually generated PAT, OAuth device code flow).
When nothing is set for
We actually use
That's not always the case 😉(!) Developers should be allowed to SSH in to a macOS machine, imagine SSH-ing in to a headless Mac mini build machine for example (I have done this myself in previous job!). Also think of something like VS Code SSH remote sessions. Unlike the GitHub CLI, GCM needs to support and present GUI prompts as well as terminal-prompts. IDEs, tools and editors like SourceTree or VS invoke the
Yes, this might be better explored in a different issue. Right now we offer all possible options to the user, and the default selection is to use the browser/local-redirect.
That's an interesting development! I will reach out. |
The OAuth 2.0 spec requires that redirect URLs be matched _exactly_ if specified, including matching trailing slashes. Since the .NET `Uri` type's `.ToString()` method will append a trailing slash to the end of path-less URLs (e.g., "http://foo" => "http://foo/") we need to use the `.OriginalString` property instead. Shoring up this area in anticipation for changes to support multiple GitHub redirect URLs with #594
Use an IPv4 loopback redirect URL instead of the `localhost` name. This is in accordance with the recommendation in the OAuth spec[^1][^2] and also GitHub's documentation[^3]. Note that this change depends on an update to the Git Credential Manager OAuth application on GitHub to add the "http://127.0.0.1/" redirect (with a trailing slash!). We will be strictly adding the new URL, and keep the older localhost-based redirect URL untouched for older clients. The change to the OAuth app registration can occur before this is merged. Fixes #594 [^1]: https://datatracker.ietf.org/doc/html/rfc8252#section-7.3 [^2]: https://datatracker.ietf.org/doc/html/rfc8252#section-8.3 [^3]: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#loopback-redirect-urls
|
The The next release of GCM will now be using the IP loopback address! |
The OAuth spec https://datatracker.ietf.org/doc/html/rfc8252#section-8.3 recommends to use 127.0.0.1 instead of localhost:
Examples in code -- BitBucket, GitHub, Azure https://github.com/GitCredentialManager/git-credential-manager/search?q=localhost
The text was updated successfully, but these errors were encountered: