On Tue, Nov 01 2022, M Hickford wrote: > On Thu, 27 Oct 2022 at 18:40, Junio C Hamano <gitster@xxxxxxxxx> wrote: > >> Also, I wonder if the specific "it can be access token and not >> password" is something worth adding. > > Personal access tokens are ubiquitous nowadays, maybe even more common > than passwords since GitHub disabled passwords last year. I wanted > to acknowledge this in the docs, even if Git's own behaviour hasn't > changed. Maybe the introduction to > https://git-scm.com/docs/gitcredentials would be a better place to do > that? > > Git will sometimes need credentials from the user in order to > perform operations; for example, it may need to ask for a username and > password in order to access a remote repository over HTTP. **The > server may accept or expect a personal access token instead of a > password.** > > [1] https://github.blog/changelog/2021-08-12-git-password-authentication-is-shutting-down/ A "personal access token" is just a password by another name. When you enter such a token into your .git/config (or provide it via an auth helper) we'll sent it over via HTTP Basic Auth, "which transmits credentials as user-id/ password pairs, encoded using Base64"[2]. Even the blog post you linked to makes the distinction, by talking about "account passwords". I.e. what's really going on here is that providers have been moving to using N passwords instead of 1. Now, I'm not just trying to be pedantic. I do think there's probably a doc improvement to be made here. If popular providers are calling this a "[personal] access token" perhaps we should mention it in passing. But saying "this could also be" is the point at which this could create its own confusion. This *is* a password. E.g. if you get such a "token" and want to try it out with the "curl" utility (whose library we use for http) it'll be e.g.: curl --user <user>:<password> <url> Not: curl --user <user> --personal-access-token <token> <url> Or whatever. I.e. the entire rest of the stack calls this a "password", and that stack's a lot more likely to be what stays around in the long term, rather than what amounts to a marketing term for a password. 1. https://www.rfc-editor.org/rfc/rfc7617
