On 2022-10-24 19:26, M Hickford wrote: > Reading git-credential.txt, I'm not quite clear: > > 1. Are the new wwwauth[] and authtype attributes populated by Git and passed to helpers? Or vice versa? The wwwauth[] attribute is from Git -> helper, and the authtype attribute is from helper -> Git. I can update the doc to make this more explicit. > 2. Should a storage helper store these attributes? If so, must the values be treated as confidential? Good question. A simple credential helper may wish to inspect these headers only to differentiate the different authentication schemes available (basic, bearer, etc) and return a credential of the correct/available type (and include an `authtype` attribute in the response). However it's unlikely such a helper would need to store the wwwauth[] values as verbatim unless it can directly understand the parameters of the challenges. The addition of this attribute is for credential helpers to gain more context about the auth challenge from the remote. For example, a helper may receive a bearer challenge including minimum required OAuth scopes and an authentication authority: wwwauth[]=Bearer authority=login.example.com/oauth scopes="code_rw userinfo_read" Using these extra parameters the helper can try and locate an existing stored credential that satisfies the request. Such an enlightened helper would need to query stored credentials looking for matching metadata including the authority, and a bearer token that has at least the minimum required scopes (but could have a superset). Thanks, Matthew
