Login prompt doesn't indicate which repo/server

[clairernovotny]

When the Git Credential Manager pops up the login dialog, there's often no direct indication of which repo it's looking for auth.

It's not always triggered by an explicit user command, but it might come from something like SourceTree doing a refresh in the background. With multiple accounts on multiple servers/repos, we need to know what repo/server the prompt is for so we can enter in the right credentials. Even something on the title bar would help.

[whoisj]

Hmm... with which service are you seeing this?

It would be quite an issue now that you mention it, I've just never encountered it before. Most likely because I've all of my network operation set to on-demand only; but that's only a personal preference.

[clairernovotny]

I work with many different VSTS servers as I am a consultant. I need to use different credentials depending on which VSTS repo it is.

In this case, it's all VSTS but different instances on it.

[whoisj]

@onovotny I see. This could potentially be a problem as the UX for VSTS logon is controlled centrally via a partnership between Azure and VSTS. I'll bring this up to them to see if the UX people can improve the experience in generally.

Thanks for the feedback!

If you have any immediate suggestions as to what the GCM can do, please post them here! :smile:

[clairernovotny]

Can GCM add info to the Window's title bar?

[whoisj]

Can GCM add info to the Window's title bar?

Not that I know of. The window's title is populated by the underlying HTML (it is an IE window, as I understand it, that you're seeing when the GCM prompts for Azure authentication).

[whoisj]

@onovotny the Azure Authentication team (the team responsible for ADAL, the authentication library the GCM uses and one that opens the authentication dialog) has silently taken notice of this issue and are looking at options to help resolve it.

Just wanted to update you.

[akempe]

Can I just add, given the Azure Authentication team are looking at this, that the UX of popping up a dialog asking for credentials as a result of some background process is ripe for phishing attacks. The dialog already looks FAR too similar to some popup from a browser. Without ANY indication of what repo/endpoint/existing-failed-credentials are being used, there is no way to work out if that popup is legit. Not to mention it then takes a few tries to work out which set of credentials are needed.

[whoisj]

@akempe any update on this issue?

[akempe]

what update you looking for? :) wrong person perhaps?

[whoisj]

wrong person perhaps?

yes, my apologies.

[sean-hammon]

Just FYI, I have this problem with BitBucket as well. It's not just an Azure issue. The dialog just asks me for credentials for bitbucket.org without any indication of which repo.

[whoisj]

Just FYI, I have this problem with BitBucket as well. It's not just an Azure issue. The dialog just asks me for credentials for bitbucket.org without any indication of which repo.

I'm rather happy to report the incoming PR from Atlassian Bitbucket (/CC @mminns) should resolve this, but only for BitBucket. Sadly, Azure still isn't making this possible for me. 😢

[mminns]

Hi, If I understand the problem correctly, My Bitbucket changes do not fix this problem.

The trick is whether Git passes enough information to the GCM for the GCM to display anything meaningful. It doesn't need to, all it needs is the host e.g. bitbucket.org, but there is a 'path' parameter that can be passed which would provide context but I'm not clear at the moment if/when that is passed to the GCM

[whoisj]

Well then bummer - all hopes dashed. 😞

[mminns]

I've been looking a bit further into this. At the moment both VS Code and Sourcetree are affected by this when they run background git processes that require authentication. If you have multiple repos/accounts you don't know which repo/credentials to use.

There is a simple, partial fix but its not 100% foolproof.

git config --add credential.useHttpPath true

With this configured git will pass an extra 'path' param to the GCM.

e.g. for git clone https://mminns@github.com/atlassian/SourceTree_Test_Simple_Private.git it sends protocol=https host=github.com path=atlassian/SourceTree_Test_Simple_Private.git username=mminns So the GUI screens can parse the path to display additional information, in this GH case

Organisation: atlassian Repository: SourceTree_Test_Simple_Private

Essentially the same can be used for Bitbucket, haven't looked into VSTS yet. For generic repos, I suspect you can't make judgements about the path structure, so you could just show:

Path: aaaa/bbbbb/cccccc/repo.git

So far so good, but.... Bitbucket keys its credentials with a username to allow for multiple accounts, but does not use the path in the key at all. GitHub does not use the username, but does use the path in its key.

This means if useHttpPath is on globally the GCM will require a new set of credentials for every GH (or generic host) repo, even if they are all under 1 account, whereas Bitbucket will still share credentials across all repos. Again I've not checked VSTS.

So useHttpPath will solve this problem without side effects for Bitbucket but not GH or generic hosts. (Its also possible that the Bitbucket implementation can be viewed as 'wrong' and doesn't respect the intended behaviour of useHttpPath)

An alternative for Sourcetree would be to allow for the setting of a GCM_DESCRIPTION env var before running, this could be used to hold the repo name, and in turn it could be displayed in the GUI.

Any thoughts?

[ddfridley]

I'm on 1.12. git config --global --add credential.useHttpPath true is working for me., for multiple accounts on github. One thing to point out is that if you have previously setup manual username/password based credentials when you add this config, validated personal access token style credentials will not overwrite them. You will need to delete the username/password credentials so the new credentials can be added (so you won't keep getting prompted to provide credentials).

[adamkoncz]

I still have this issue. I need to access multiple VSTS Github and other accounts. I get a login prompt which force me to log out other accounts. That is I cannot access two VSTS git account at the same time.

Moreover the login prompt does not tell me which account I am signing into.

[whoisj]

@adamkoncz v1.15 should solve this issue for VSTS accounts. GitHub will need to modify their authentication helper to support it multiple accounts.

[adamkoncz]

@whoisj it seems working now, after deleting the credentials and credential manager and reinstalling it. The issue that seems to presist is the VSTS login prompt does not tell me which account or repository I am logging into. Anyway I can live with that for now, but still annoying.

[narration-sd]

Kind of unbelievable that this issue remains in Sept 2018, isn't it??

This is a big problem. Mike Minns offered a year ago a quite extensive set of facts and suggestions.

To have multiple, floating, anonymous prompts coming up every ten minutes or so that you can't successfully answer is absolutely maddening.

It's especially so since I am also completely able to use all the repos....using SourceTree

Come on, guys....

And, I'd pay attention to what people say about the potential security issues. Having decent information on the alert would go some way to mitigating those.

So can SECURITY problems light a fire under this??

Thanks, Clive

[cmhrpr]

@narration-sd it's October, Clive