Skip to content
This repository has been archived by the owner on Jul 15, 2023. It is now read-only.

How the Git Credential Managers works

Jump to bottom
J Wyman edited this page Sep 19, 2016 · 2 revisions

All Git remotes

The Git Credential Manager for Windows (GCM) is a credential helper for Git. It securely stores your credentials in the Windows Credential Manager so you only need to enter them once for each remote repo you access. All future Git commands will reuse the existing credentials. The following flows explain how Git HTTPS authentication works with and without the GCM.

Git HTTPS authentication with the GCM

  1. git needs to work with a remote host over the HTTPS protocol and invokes git-remote-https.
  2. git-remote-https negotiates with the host.
  3. The host rejects git-remote-https due to lack of credentials.
  4. git-remote-https fails with a reason code linked to credentials.
  5. git invokes git-credential in hopes of acquiring useful credentials.
  6. git-credential scans Git's configuration to see if any helpers are registered.
  7. git-credential invokes the helpers one at a time in the order listed in hopes of one having useful credentials for the + values.
  8. git-credential finds that credential.helper=manager and invokes git-credential-manager with the "get" option.
  9. git-credential-manager lacks credentials for the remote.
  10. git-credential-manager looks at the configuration to determine if these are basic credentials, Visual Studio Team Services, or GitHub; if the request is multi-factor authentication; etc.
  11. In the case of basic credentials, git-credential-manager tells git-credential the truth that it does not have any credentials for it.
  12. git-credential then prompts the user at the command line for credentials.
  13. The user enters credentials.
  14. git-credential invokes git-credential-manager with the "store" option and supplies the credentials for storage.

Visual Studio Team Services authentication

The experience for Team Services is the same as other Git remotes except a dialog asks for your Microsoft Account or Azure Active Directory credentials the first time you authenticate to a Team Services remote repo. A mutli-factor authentication experience will be shown if it’s configured. After that, authentication uses a Team Services personal access token to silently authenticate. If you’ve already authenticated to Team Services using Visual Studio, we’ll silently use those credentials for Git on the command prompt so you aren’t prompted.

Git HTTPS authentication with the GCM to a Team Services remote repo

  1. Check to see if a personal access token exists in the Windows Credential Manager or the Visual Studio cache
  2. If cached credentials aren’t found, a dialog is shown to get the user’s Microsoft Account or Azure Active Directory credentials. The dialog will show a multi-factor experience if it’s configured for the user’s identity.
  3. If authentication succeeds, the GCM creates a personal access token with read / write code permissions for the team project.
  4. The personal access token is stored in the Windows Credential Manager and used to perform the requests Git command.

GitHub 2-factor authentication

GitHub authentication without 2-factor will go through the standard GCM flow. If you have 2-factor, you’re asked to enter your passcode on the command line after you enter your username and password.

Git HTTPS authentication with the GCM to a GitHub remote repo and 2-factor authentication enabled on your GitHub accounts

  1. Check to see if credentials existing in the Windows Credential Manager
  2. If cached credentials aren’t found, the GCM will display a GitHub branded dialog asking for credential information.
  3. If authentication succeeds, the GCM creates a personal access token with read / write code permissions for the repo.
  4. The personal access token is stored in the Windows Credential Manager and used to perform the requests Git command.
Clone this wiki locally