Git complains about bad input using credential.credentialType set to oauth

[davehcdn]

Installed 2.0.394-beta+3fc6791abf on my mac using homebrew

$> git config -l
credential.helper=osxkeychain
credential.helper=/usr/local/share/gcm-core/git-credential-manager-core
credential.azrepospatmode=false
credential.https://dev.azure.com.usehttppath=true
credential.azrepos:org/{removed}.username={removed}

$> git config --get credential.helper
/usr/local/share/gcm-core/git-credential-manager-core

I can successfully do a git clone (GCMCore opens a browser window for my MFA / Authentication) however when I look in https://dev.azure.com/{removed}/_userSettings/tokens I can see that it generated a new PAT still...

I thought this should be all the configuration which I need to prevent using a PAT, reading the notes from #294

[mjcheetham]

Hi @davehcdn, thanks for the interest in GCM Core's new "PAT-less" mode for Azure Repos.

The setting to control this experimental option was renamed at some point during development, but the PR description linked still shows the old setting.

To enable PAT-less mode now, you need to run:

git config --global credential.azreposCredentialType oauth

https://github.com/microsoft/Git-Credential-Manager-Core/blob/master/docs/configuration.md#credentialazreposcredentialtype-experimental

[mjcheetham]

I've updated the release notes to point to this document that explains in more detail the different "credential/auth modes" for Azure Repos, and links to the new setting names.

https://github.com/microsoft/Git-Credential-Manager-Core/blob/master/docs/azrepos-users-and-tokens.md

[davehcdn]

@mjcheetham I tried it out and it seems to work but there are two things:

1. I can do a git clone and it pulls down the repo and I do not see a new PAT listed in my account on DevOps, so I assume the OAuth flow is working, however my command get's a very suspicious output which looks like it is echoing the OAuth token back to me? I think if this is the token it's probably not intentional to show it like this?

>$ git clone https://{removed}@dev.azure.com/{Removed}/{Removed}/_git/Operations
Cloning into 'Operations'...
bad input: 3AiOiJ1c2VyX2ltcGVyc29[...]{Removed}e6CiHeJwJwef0Gw
remote: Azure Repos
remote: Found 675 objects to send. (270 ms)
Receiving objects: 100% (675/675), 198.42 KiB | 6.40 MiB/s, done.
Resolving deltas: 100% (9/9), done.

2. Looking at the azrepos-users-and-tokens.md you might want to update it to specify that the the UI is no longer the only way to manage Azure PAT for DevOps and the API is now public: https://devblogs.microsoft.com/devops/personal-access-token-lifecycle-apis-now-publicly-available/

[mjcheetham]

1. I can do a git clone and it pulls down the repo and I do not see a new PAT listed in my account on DevOps, so I assume the OAuth flow is working, however my command get's a very suspicious output which looks like it is echoing the OAuth token back to me? I think if this is the token it's probably not intentional to show it like this?

The bad input: <...> line is written by Git itself, not GCM. I'm not sure why Git would feel this is bad input.

Please can you run this again with both the GCM_TRACE and GIT_TRACE environment variables set to the same absolute file path (for example: C:\Users\<user>\gcm.log or /home/<user>/gcm.log), and then redact and post the contents on the file on this issue?

2. Looking at the azrepos-users-and-tokens.md you might want to update it to specify that the the UI is no longer the only way to manage Azure PAT for DevOps and the API is now public: https://devblogs.microsoft.com/devops/personal-access-token-lifecycle-apis-now-publicly-available/

I've just updated this; thanks!

[davehcdn]

export GCM_TRACE="/Users/imac2015/Documents/gcm.log"
export GIT_TRACE="/Users/imac2015/Documents/gcm.log"

git clone https://{Redacted}@dev.azure.com/{Redacted}/{Redacted}/_git/Operations

Bounced to browser to do the Auth

Here is the gcm.log output

09:44:12.697020 git.c:447               trace: built-in: git clone 'https://{Redacted}@dev.azure.com/{Redacted}/{Redacted}/_git/Operations'
09:44:12.715182 run-command.c:667       trace: run_command: git remote-https origin 'https://{Redacted}@dev.azure.com/{Redacted}/{Redacted}/_git/Operations'
09:44:12.720885 git.c:733               trace: exec: git-remote-https origin 'https://{Redacted}@dev.azure.com/{Redacted}/{Redacted}/_git/Operations'
09:44:12.721540 run-command.c:667       trace: run_command: git-remote-https origin 'https://{Redacted}@dev.azure.com/{Redacted}/{Redacted}/_git/Operations'
09:44:13.107508 run-command.c:667       trace: run_command: 'git credential-osxkeychain get'
09:44:13.116979 git.c:733               trace: exec: git-credential-osxkeychain get
09:44:13.117555 run-command.c:667       trace: run_command: git-credential-osxkeychain get
09:44:13.136981 run-command.c:667       trace: run_command: '/usr/local/share/gcm-core/git-credential-manager-core get'
09:44:13.218680 git.c:447               trace: built-in: git config --null credential.namespace
09:44:13.277545 ...er/Application.cs:84 trace: [RunInternalAsync] Version: 2.0.394.50751
09:44:13.277952 ...er/Application.cs:85 trace: [RunInternalAsync] Runtime: .NET 5.0.4
09:44:13.277988 ...er/Application.cs:86 trace: [RunInternalAsync] Platform: macOS (x86-64)
09:44:13.278003 ...er/Application.cs:87 trace: [RunInternalAsync] AppPath: /usr/local/share/gcm-core/git-credential-manager-core
09:44:13.278049 ...er/Application.cs:88 trace: [RunInternalAsync] Arguments: get
09:44:13.353016 ...GitCommandBase.cs:35 trace: [ExecuteAsync] Start 'get' command...
09:44:13.362857 ...GitCommandBase.cs:49 trace: [ExecuteAsync] Detecting host provider for input:
09:44:13.364148 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	protocol=https
09:44:13.364191 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	host=dev.azure.com
09:44:13.364205 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	path={Redacted}/{Redacted}/_git/Operations
09:44:13.364216 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	username={Redacted}
09:44:13.395813 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
09:44:13.397759 ...viderRegistry.cs:162 trace: [GetProviderAsync] Checking against 3 host providers registered with priority 'Normal'.
09:44:13.398673 ...GitCommandBase.cs:52 trace: [ExecuteAsync] Host provider 'Azure Repos' was selected.
09:44:13.414231 ...sHostProvider.cs:403 trace: [UsePersonalAccessTokens] Azure Repos credential type override set to 'oauth'
09:44:13.416374 ...sHostProvider.cs:237 trace: [GetAzureAccessTokenAsync] Determining Microsoft Authentication authority for Azure DevOps organization '{Redacted}'...
09:44:13.416541 ...AuthorityCache.cs:59 trace: [GetAuthority] Looking up cached authority for organization '{Redacted}'...
09:44:13.423051 ...sHostProvider.cs:246 trace: [GetAzureAccessTokenAsync] Authority is 'https://login.microsoftonline.com/2ebaed2f-af63-45af-a67b-ec24f2eeb7ef'.
09:44:13.423092 ...sHostProvider.cs:268 trace: [GetAzureAccessTokenAsync] Looking up user for organization '{Redacted}'...
09:44:13.423650 ...BindingManager.cs:96 trace: [GetBinding] Looking up organization binding for '{Redacted}'...
09:44:13.436179 ...sHostProvider.cs:272 trace: [GetAzureAccessTokenAsync] User is '{Redacted}.{Redacted}@{Redacted}.onmicrosoft.com'.
09:44:13.436215 ...sHostProvider.cs:275 trace: [GetAzureAccessTokenAsync] Getting Azure AD access token...
09:44:13.489079 ...uthentication.cs:214 trace: [RegisterTokenCacheAsync] Configuring Microsoft Authentication token cache to instance shared with Microsoft developer tools...
09:44:13.998725 ...uthentication.cs:270 trace: [RegisterTokenCacheAsync] Microsoft developer tools token cache configured.
09:44:13.999618 ...uthentication.cs:169 trace: [GetAccessTokenSilentlyAsync] Attempting to acquire token silently for user '{Redacted}.{Redacted}@{Redacted}.onmicrosoft.com'...
09:44:14.061291 ...pClientFactory.cs:54 trace: [CreateClient] Creating new HTTP client instance...
09:44:14.763008 ...uthentication.cs:177 trace: [GetAccessTokenSilentlyAsync] Failed to acquire token silently; user interaction is required.
09:44:14.797094 ...uthentication.cs:109 trace: [GetTokenAsync] Performing interactive auth with system web view...
09:44:18.167658 ...sHostProvider.cs:282 trace: [GetAzureAccessTokenAsync] Acquired Azure access token. Account='{Redacted}.{Redacted}@{Redacted}.onmicrosoft.com' Token='********'
09:44:18.171299 ...GitCommandBase.cs:56 trace: [ExecuteAsync] End 'get' command...
             trace: built-in: git config --null http.proxy
09:44:14.117861 git.c:447               trace: built-in: git config --null --list --show-scope
09:44:14.126549 git.c:447               trace: built-in: git config --null http.sslVerify
09:44:14.770898 git.c:447               trace: built-in: git config --null --list --show-scope
09:44:14.778290 git.c:447               trace: built-in: git config --null credential.interactive
09:44:14.786308 git.c:447               trace: built-in: git config --null --list --show-scope
09:44:14.793685 git.c:447               trace: built-in: git config --null credential.msauthFlow
09:44:18.323042 run-command.c:667       trace: run_command: 'git credential-osxkeychain store'
09:44:18.334295 git.c:733               trace: exec: git-credential-osxkeychain store
09:44:18.334882 run-command.c:667       trace: run_command: git-credential-osxkeychain store
09:44:18.341071 run-command.c:667       trace: run_command: '/usr/local/share/gcm-core/git-credential-manager-core store'
09:44:18.417332 git.c:447               trace: built-in: git config --null credential.namespace
09:44:18.471325 ...er/Application.cs:84 trace: [RunInternalAsync] Version: 2.0.394.50751
09:44:18.471741 ...er/Application.cs:85 trace: [RunInternalAsync] Runtime: .NET 5.0.4
09:44:18.471777 ...er/Application.cs:86 trace: [RunInternalAsync] Platform: macOS (x86-64)
09:44:18.471792 ...er/Application.cs:87 trace: [RunInternalAsync] AppPath: /usr/local/share/gcm-core/git-credential-manager-core
09:44:18.471837 ...er/Application.cs:88 trace: [RunInternalAsync] Arguments: store
09:44:18.549208 ...GitCommandBase.cs:35 trace: [ExecuteAsync] Start 'store' command...
09:44:18.559478 ...GitCommandBase.cs:49 trace: [ExecuteAsync] Detecting host provider for input:
09:44:18.560664 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	protocol=https
09:44:18.560710 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	host=dev.azure.com
09:44:18.560726 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	path={Redacted}/{Redacted}/_git/Operations
09:44:18.560739 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	username={Redacted}.{Redacted}@{Redacted}.onmicrosoft.com
09:44:18.560751 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	password=********
09:44:18.592567 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
09:44:18.594643 ...viderRegistry.cs:162 trace: [GetProviderAsync] Checking against 3 host providers registered with priority 'Normal'.
09:44:18.595456 ...GitCommandBase.cs:52 trace: [ExecuteAsync] Host provider 'Azure Repos' was selected.
09:44:18.609734 ...sHostProvider.cs:403 trace: [UsePersonalAccessTokens] Azure Repos credential type override set to 'oauth'
09:44:18.610644 ...sHostProvider.cs:135 trace: [StoreCredentialAsync] Signing user {Redacted}.{Redacted}@{Redacted}.onmicrosoft.com in to organization '{Redacted}'...
09:44:18.611100 ...BindingManager.cs:96 trace: [GetBinding] Looking up organization binding for '{Redacted}'...
09:44:18.623916 ...indingManager.cs:136 trace: [Bind] Binding user '{Redacted}.{Redacted}@{Redacted}.onmicrosoft.com' to organization '{Redacted}' in global configuration...
09:44:18.631777 ...indingManager.cs:151 trace: [Unbind] Unbinding organization '{Redacted}' in local repository...
09:44:18.646239 ...GitCommandBase.cs:56 trace: [ExecuteAsync] End 'store' command...
.username {Redacted}.{Redacted}@{Redacted}.onmicrosoft.com
09:44:18.636914 git.c:447               trace: built-in: git rev-parse --absolute-git-dir
09:44:18.644397 git.c:447               trace: built-in: git config --local --unset credential.azrepos:org/{Redacted}.username
09:44:18.657541 run-command.c:667       trace: run_command: git fetch-pack --stateless-rpc --stdin --lock-pack --thin --check-self-contained-and-connected --cloning 'https://{Redacted}@dev.azure.com/{Redacted}/{Redacted}/_git/Operations/'
09:44:18.661952 git.c:447               trace: built-in: git fetch-pack --stateless-rpc --stdin --lock-pack --thin --check-self-contained-and-connected --cloning 'https://{Redacted}@dev.azure.com/{Redacted}/{Redacted}/_git/Operations/'
09:44:18.970767 run-command.c:667       trace: run_command: git index-pack --stdin -v --fix-thin '--keep=fetch-pack 23060 on Davids-MacBook-Pro.local' --check-self-contained-and-connected --pack_header=2,675
09:44:18.975980 git.c:447               trace: built-in: git index-pack --stdin -v --fix-thin '--keep=fetch-pack 23060 on Davids-MacBook-Pro.local' --check-self-contained-and-connected --pack_header=2,675
09:44:19.021776 run-command.c:667       trace: run_command: git rev-list --objects --stdin --not --all --quiet --alternate-refs '--progress=Checking connectivity'
09:44:19.026148 git.c:447               trace: built-in: git rev-list --objects --stdin --not --all --quiet --alternate-refs '--progress=Checking connectivity'

[davehcdn]

@mjcheetham does that output help at all? Coworkers tested on windows 10 and they didn't get the echo back

[mjcheetham]

It looks like the osxkeychain helper might be getting involved/interleaved with the Git-GCM interaction.
In your ~/.gitconfig file, can you see if you have the following entries? (note the blank line entry is important):

[credential]
    helper = 
    helper = /usr/local/share/gcm-core/git-credential-manager-core
    azreposCredentialType = oauth

[davehcdn]

Thank you @mjcheetham - the issue is now resolved. I foolishly thought I knew better and I had removed that empty line from my git config at some point.

I have added it back and it no longer echos out the bad input.