On Thu, Jun 14, 2018 at 10:13:42AM +0000, brian m. carlson wrote:
> > I know that other git server environments like github support that on
> > client side by allowing tokens to be used as usernames in a BASIC
> > authentication flow. We could do the same but I am asking whether
> > there is also a way to transport tokens in a standard conform
> > "Authorization: Bearer ..." Header field.
>
> There isn't any support for Bearer authentication in Git. For HTTP, we
> use libcurl, which doesn't provide this natively. While it could in
> theory be added, it would require some reworking of the auth code.
>
> You are, of course, welcome to send a patch.
If it's just a custom Authorization header, we should be able to support
it with existing curl versions without _too_ much effort.
I think there are probably two possible directions:
1. add a special "bearer" command line option, etc, as a string
2. add a boolean option to send the existing "password" field as a
"bearer" header
I suspect (2) would fit in with the existing code better, as the special
case would mostly be limited to the manner in which we feed the
credential to curl. And you could probably just set a config option for
"this url's auth will be oauth2", and use the existing mechanisms for
providing the password.
We'd maybe also want to allow credential helpers to say "by the way,
this password should be treated as a bearer token", for cases where you
might sometimes use oauth2 and sometimes a real password.
-Peff
