problem with Git Credential Manager when `[oauth2].ENABLED=false`, because of `Www-Authenticate: Basic realm="Gitea"`

[gh-user-2022]

Description

Problem noticed on attempt to update to newest Gitea version 1.24.6.
https://github.com/go-gitea/gitea/releases/tag/v1.24.6

When OAuth is disabled with [oauth2].ENABLED=false in app.ini, then Git Credential Manager tries to open non-existent URL http://<...>/login/oauth/authorize?<...> in browser.

Some minimal debugging shows that there is interplay between

gitea/routers/web/repo/githttp.go

Line 148 in 08c6ea6

ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea"`)

and https://github.com/git-ecosystem/git-credential-manager/blob/786ab03440ddc82e807a97c0e540f5247e44cec6/src/shared/Core/GenericOAuthConfig.cs#L17

In older versions of Gitea there was Www-Authenticate: Basic realm=".", so Git Credential Manager worked correctly.

gitea/routers/web/repo/http.go

Line 162 in d424357

ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=\".\"")

I wonder, how can this be somehow worked around.

Gitea Version

1.24.6

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

git version 2.51.0.windows.1

Operating System

Microsoft Windows [Version 10.0.17763.7314]

How are you running Gitea?

Used package from https://github.com/go-gitea/gitea/releases/tag/v1.24.6
Run with commandline in directory C:\gitea with custom configuration in C:\gitea\custom\conf\app.ini

With

[oauth2]
ENABLED = false

Database

SQLite

[vicentini]

I stumbled upon the same problem. Is there an easy workaround.
What can I do about it?

[wxiaoguang]

Duplicate.

Workaround: First authorization via OAUTH fails #31470

[vicentini]

Thanks for the response. I read #31470 but don't think it's a duplicate.
I disabled oauth as stated in the original post and also don't want to use it. So I'd expect the login to always fail, as it's happening.

If I try to clone one of my repositories a gitea page is opened in the browser showing "forbidden", as I would expect it, because oauth is diasabled.
How can I convince the credential manager not to use oauth?

[wxiaoguang]

Sorry I have no idea because I don't use GCM

[gh-user-2022]

How can I convince the credential manager not to use oauth?

If we discuss the way to do it without modifying Gitea sources, then we can set up some HTTP reverse proxy (e.g. Nginx) to change Www-Authenticate: Basic realm="Gitea" to Www-Authenticate: Basic realm=".".

If we discuss the way to fix Gitea, then I suppose the easiest thing is to let Gitea do the above (without the help of proxy) if [oauth2].ENABLED=false.

[wxiaoguang]

Www-Authenticate: Basic realm="."

It should be easy to do this change.

Could you elaborate why it works? Is it a special logic in GCM?

---

Or, should we set a clear value like Www-Authenticate: Basic realm="Gitea (Basic Auth)" instead of .?

[wxiaoguang]

-> Avoid GCM OAuth2 attempt when OAuth2 is disabled #36000