Support OAuth 2.0 authentication

[Djaytan]

Description

I would like the following code:

String myAccessToken = "access-token-here";
Git git = ...;
git.push()
    .setCredentialsProvider(new OAuthCredentialsProvider(myAccessToken))
    .setPushAll()
    .call();

to include the following HTTP header in the dispatched request toward the Git server:

Authorization: Bearer access-token-here

Motivation

Nowadays, OAuth 2.0 is a widespread standard for authorization. This is what is typically used by GitHub and Bitbucket.

However, JGit doesn't support this type of authentication, thus leading to troubles. Fortunately, a workaround exists but ideally it would be better to integrate directly the solution inside JGit.

Alternatives considered

The workaround which has been found:

String myAccessToken = "access-token-here"
Git git = ...;
git.push()
    .setTransportConfigCallback(
        transport -> {
          if (transport instanceof TransportHttp transportHttp) {
            transportHttp.setAdditionalHeaders(
                Map.of("Authorization", "Bearer " + myAccessToken));
          }
        })
    .setPushAll()
    .call();

Additional context

Related Stack Overflow question:

• https://stackoverflow.com/questions/28073266/how-to-use-jgit-to-push-changes-to-remote-with-oauth-access-token

[mytest4mail03]

I'm not able to authenticate even with this workaround.

Caused by: org.eclipse.jgit.errors.TransportException: https://github.com/mytest4mail03/spring-petclinic.git: Authentication is required but no CredentialsProvider has been registered

[tomaswolf]

The linked stack overflow post is about accessing Github repositories via HTTPS and appears to be very outdated and/or confused.

For Github, you need to use a Personal Access Token (PAT), and use that as password in a UsernamePasswordCredentialsProvider. This is described in the Egit User's Guide. Using a PAT with Bearer Auth won't work.

[msohn]

Support for OAuth 2 authentication is growing amongst git hosting services [1].
Hence I think that's a valid feature request. Actually I just got the same requirement internally at SAP and was about to file a similar feature request :-)

Implementing typical OAuth authentication flows is not as simple as passing a long-term secret like a GitHub personal access token via bearer header to the application. Instead the client's request is redirected to an OAuth server where the user authenticates using long-term credentials (with a validity of months) and potentially a second factor. On successful authentication the server responds with a short-lived token (validity in the minutes) and redirects the client to the application (here github). The client needs to refresh the short-lived tokens before they expire.

Git has a credentials helper API to retrieve credentials from the user or some credentials store (keychain, cache).
There are implementations of this API supporting OAuth 2, see [2],[3]. We may consider to add the same API to JGit so that it can leverage existing git credentials helpers. Though since this API depends on installation of existing credentials helpers which are not implemented in Java I guess we will use some OAuth Java library to implement OAuth support in JGit.

[1] hickford/git-credential-oauth#17
[2] https://github.com/git-ecosystem/git-credential-manager
[3] https://github.com/hickford/git-credential-oauth