On January 10, 2025 1:17 PM, Junio C Hamano wrote: >Subject: Re: [PATCH] docs: discuss caching personal access tokens > >"M Hickford via GitGitGadget" <gitgitgadget@xxxxxxxxx> writes: > >> From: M Hickford <mirth.hickford@xxxxxxxxx> >> >> Describe problems storing personal access tokens in >> git-credential-cache and suggest alternatives. > >> +PERSONAL ACCESS TOKENS >> +---------------------- >> + >> +Some remotes accept personal access tokens, which are randomly >> +generated and hard to memorise. They typically have a lifetime of >> +weeks or months. >> + >> +git-credential-cache is inherently unsuitable for persistent storage >> +of personal access tokens. The credential will be forgotten after the >> +cache timeout. Even if you configure a long timeout, credentials will >> +be forgotten if the daemon dies. > >Very true. > >> +To avoid frequently regenerating personal access tokens, configure a >> +credential helper with persistent storage. > >Like libsecret and osxkeychain, you mean? I am wondering if we want to be a bit >more helpful by being explicit. I think there is a section in a maual page that has a >list of known and often-used credential backends, so referring the readers to that >section may be helpful. > >> Alternatively, configure an >> +OAuth credential helper to generate credentials automatically. See >> +linkgit:gitcredentials[7]. > >Indeed. My solution for this is to write a custom credential manager that is PAT aware. The one I built does not support OAuth or OAuth2. This is non-trivial when dealing with a CLI. Integrating with something like MS Authenticator might be a reasonable option for some.
