Hub: OAuth or SSH keys for authentication

+2

+100

Not sure when this started happening, but not working for https and using OAuth token despite being in ~/.config/hub and storing it after removal

@broady This is a fair suggestion, but something that's not feasible for us to do. Let me explain.

• SSH keys can be used for authentication with _git_ operations, but the API access that hub needs is entirely separate of that. The GitHub API is _only_ accessible using HTTPS and not SSH.
• OAuth is an authentication system designed for web applications. It's a method of avoiding giving a 3rd party your credentials by first redirecting to GitHub.com for login, then redirecting back to the original website. Hub is a _command-line tool_, therefore there is no website to redirect back to after login.
• Some locally installable applications spin up a local server such as http://localhost:1234 and use that as a redirect destination for OAuth web flow. While this approach is technically possible, it's brittle and difficult to maintain. For the sake of ease of development, I'm reluctant to go down such route. See https://github.com/github/hub/issues/384
• While it's completely unsafe to give 3rd party websites your GitHub password, it's _relatively_ safe to give locally installed apps your GitHub password. Even if the local app stores the password somewhere, it's still just on your computer. If it tried to send your password somewhere to their own servers, consumers would notice this and they wouldn't trust the vendor at all. So, application vendors don't toy with people's trust, and avoid storing people's passwords anywhere after using them for one-time exchange for an access token.
• Hub, being developed by GitHub, is _not a 3rd party_. You can safely give your password to hub the same as you're POSTing it to GitHub.com via form every time you log in. And if you're interested in what hub does with your password, the code is entirely open source and available for your perusal. The password doesn't get stored anywhere and gets immediately discarded.

So you see, there's really no incentive for supporting OAuth web flow with hub, and if we tried, the result will just be more complexity to maintain for us with little to no payoff.

@cyberious You seem to have an issue related to authentication, but possibly unrelated to the original question in this thread. Please open a separate issue if you continue to have problems authenticating, and please provide more info when you do so.

@mislav: what about those who use two-factor-authentication? It's prohibitively inconvenient for users to use one two-factor token per hub invokation (especially as it does not support FIDO)

@jupp0r Hub will only prompt you for your GitHub username + password + 2FA token once on initial run. After that, it will exchange this information for an OAuth token that it stores in ~/.config/hub on disk. After that, it should not ask you for username/password/2FA token again. Thus, users with 2FA enabled shouldn't be inconvenienced more than users that have it disabled.

Thanks for the clarification!

On 18 Jul 2016, at 18:16, Mislav Marohnić [email protected] wrote:

@jupp0r https://github.com/jupp0r Hub will only prompt you for your GitHub username + password + 2FA token once on initial run. After that, it will exchange this information for an OAuth token that it stores in ~/.config/hub on disk. After that, it should not ask you for username/password/2FA token again. Thus, users with 2FA enabled shouldn't be inconvenienced more than users that have it disabled.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/github/hub/issues/1150#issuecomment-233378246, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJ3Po5gCKjbTJFiUahrrZq30oxawnn8ks5qW6begaJpZM4H6K4p.

@mislav Is it possible to use Github tokens set up via https://github.com/settings/tokens instead of entering your password? I use a browser based password manager so I don't actually know any of my passwords.

Yes you can generate a Personal access token manually and place it in ~/.config/hub:

github.com:
- user: masaeedu
  oauth_token: PERSONALTOKEN
  protocol: https

In the near future there will be a CLI interface to help you setting this up so you don't have to edit the file directly. But for now, please follow these instructions.