-
Notifications
You must be signed in to change notification settings - Fork 591
How the Git Credential Managers works
The Git Credential Manager for Windows (GCM) is a credential helper for Git. It securely stores your credentials in the Windows Credential Manager so you only need to enter them once for each remote repo you access. All future Git commands will reuse the existing credentials. The following flows explain how Git HTTPS authentication works with and without the GCM.
-
git
needs to work with a remote host over the HTTPS protocol and invokesgit-remote-https
. -
git-remote-https
negotiates with the host. - The host rejects
git-remote-https
due to lack of credentials. -
git-remote-https
fails with a reason code linked to credentials. -
git
invokesgit-credential
in hopes of acquiring useful credentials. -
git-credential
scans Git's configuration to see if any helpers are registered. -
git-credential
invokes the helpers one at a time in the order listed in hopes of one having useful credentials for the + values. -
git-credential
finds thatcredential.helper=manager
and invokesgit-credential-manager
with the "get" option. -
git-credential-manager
lacks credentials for the remote. -
git-credential-manager
looks at the configuration to determine if these are basic credentials, Visual Studio Team Services, or GitHub; if the request is multi-factor authentication; etc. - In the case of basic credentials,
git-credential-manager
tellsgit-credential
the truth that it does not have any credentials for it. -
git-credential
then prompts the user at the command line for credentials. - The user enters credentials.
-
git-credential
invokesgit-credential-manager
with the "store" option and supplies the credentials for storage.
The experience for Team Services is the same as other Git remotes except a dialog asks for your Microsoft Account or Azure Active Directory credentials the first time you authenticate to a Team Services remote repo. A mutli-factor authentication experience will be shown if it’s configured. After that, authentication uses a Team Services personal access token to silently authenticate. If you’ve already authenticated to Team Services using Visual Studio, we’ll silently use those credentials for Git on the command prompt so you aren’t prompted.
- Check to see if a personal access token exists in the Windows Credential Manager or the Visual Studio cache
- If cached credentials aren’t found, a dialog is shown to get the user’s Microsoft Account or Azure Active Directory credentials. The dialog will show a multi-factor experience if it’s configured for the user’s identity.
- If authentication succeeds, the GCM creates a personal access token with read / write code permissions for the team project.
- The personal access token is stored in the Windows Credential Manager and used to perform the requests Git command.
GitHub authentication without 2-factor will go through the standard GCM flow. If you have 2-factor, you’re asked to enter your passcode on the command line after you enter your username and password.
Git HTTPS authentication with the GCM to a GitHub remote repo and 2-factor authentication enabled on your GitHub accounts
- Check to see if credentials existing in the Windows Credential Manager
- If cached credentials aren’t found, the GCM will display a GitHub branded dialog asking for credential information.
- If authentication succeeds, the GCM creates a personal access token with read / write code permissions for the repo.
- The personal access token is stored in the Windows Credential Manager and used to perform the requests Git command.