GitHub Clone with OAuth Access Token

Asked 9/2, 2017 at 23:24 Answered 20/7, 2023 at 18:44

267

Inside a script I am trying to clone a GitHub repository with an OAuth token.

According to this tutorial:

https://github.com/blog/1270-easier-builds-and-deployments-using-git-over-https-and-oauth

I should be able to build a command for it like this:

git clone https://<token>@github.com/owner/repo.git

If I try this manually with a proper access token, it still asks for my password.

If I try it on the commandline I am simply getting a repository not found error.

The article is from 2012 and I cannot find any API documentation for this. So I am wondering if this still works.

Prescriptive answered 9/2, 2017 at 23:24 Comment(3)

What is the difference between "If I try this manually" and "If I try it on the commandline"? – Fritzfritze 28/6, 2019 at 11:12

Please correct the URI-token syntax, see https://mcmap.net/q/13728/-using-gitlab-token-to-clone-without-authentication – Landward 6/1, 2021 at 22:47

@PeterKrauss Linking to an unrelated thread seems a bit uncalled for, especially if it's a "closed" topic – Cheng 11/3, 2021 at 14:50

121

I turned out to be a scope issue. I of course needed full repo scope since I was trying to clone a private repository.

It's a shame Github does not have some clearer error messages for these kind of things, but security wise I understand why.

For anyone trying to figure out what is wrong when trying out something like this, I would suggest to create a personal access token with full access to everything:

settings > developer settings > personal access tokens > generate new token

This way you can easily test if it is a scope issue by comparing your token with a personal access token that has access rights for everything.

Thanks for anyone who still took the time to read this.

Prescriptive answered 11/2, 2017 at 11:46 Comment(3)

Mind that if you simply try to access the repo page through a browser you'll still face a 404-not found page. But cloning worked fine regardless in my case. – Scumble 15/5, 2018 at 20:35

I provided a scope of user repo to the authorization request, and when requesting an access token it always returns with scope= (empty scope). Why is that? – Sapers 6/5, 2020 at 21:46

It may seem that there is no way to avoid write access using a Github security token, which is kind of a security limitation for scripts and other integrations where just cloning a private repo is required :( – Dextroamphetamine 29/1, 2022 at 17:53

326

Just use the HTTPS address to clone with the key as the user, so:

git clone https://oauth2:[email protected]/username/repo.git

git clone https://username:[email protected]/username/repo.git

Degraded answered 11/2, 2021 at 14:48 Comment(5)

You can also use github Personal Access Token with this command in place of OAuth Key. – Feoff 26/1, 2022 at 2:26

It used to work fine for me with classical personal access token, but as of 18th of October, GitHub released also fine-grained personal access token and it looks like for them, you have to use git clone https://oauth2:<oauth-key-goes-here>@github.com/username/repo.git – Lepley 20/10, 2022 at 12:10

Wow. I wonder how the heck this is supposed to work with package managers like composer where the repository info is configured in plain-text JSON. I can't believe that Github doesn't provide a way to pass the key discreetly i.e. through the COMPOSER_AUTH environment variable...kind of defeats the purpose of an organization service user use case. – Woods 19/1, 2023 at 17:48

The way with …username:token… worked for Gitlab as well! – Sonstrom 6/4, 2023 at 14:50

I can still use fine-grained PAT without oauth2: – Utmost 23/11, 2023 at 11:31

121

I turned out to be a scope issue. I of course needed full repo scope since I was trying to clone a private repository.

It's a shame Github does not have some clearer error messages for these kind of things, but security wise I understand why.

For anyone trying to figure out what is wrong when trying out something like this, I would suggest to create a personal access token with full access to everything:

settings > developer settings > personal access tokens > generate new token

This way you can easily test if it is a scope issue by comparing your token with a personal access token that has access rights for everything.

Thanks for anyone who still took the time to read this.

Prescriptive answered 11/2, 2017 at 11:46 Comment(3)

Mind that if you simply try to access the repo page through a browser you'll still face a 404-not found page. But cloning worked fine regardless in my case. – Scumble 15/5, 2018 at 20:35

I provided a scope of user repo to the authorization request, and when requesting an access token it always returns with scope= (empty scope). Why is that? – Sapers 6/5, 2020 at 21:46

Just clone the repository with HTTP like so:

git clone https://github.com/myuser/myrepo.git

When prompted for Username, fill your username.

When prompted for Password, fill the token instead.

Amplify answered 14/8, 2020 at 13:41 Comment(5)

It is not the answer, the problem is about use the token, see https://mcmap.net/q/13728/-using-gitlab-token-to-clone-without-authentication – Landward 6/1, 2021 at 22:47

you can use the token in the URL as [email protected]/username/repo.git – Degraded 11/2, 2021 at 14:48

well....worked for github too... Guess it is supposed to be used.. like more of a appPassword with every URL Thanks Anyway – Stinking 28/4, 2021 at 10:34

Worth to say you can use your personal token in place of password for any git command line action, not only clone – Stiffen 30/6, 2021 at 9:55

found a error => remote : repository not found – Carburize 29/8, 2021 at 9:17

Please try this.

git clone `https://oauth2:[email protected]/username/repo.git`

For example, git clone https://oauth2:[email protected]/gituser/testrepo.git

Quyenr answered 6/9, 2021 at 13:33 Comment(5)

it's working. please check the url carefully. @github.com/gituser/testrepo.git – Quyenr 14/9, 2021 at 18:9

This is way better than manually writing the username and password! I can save a github access token variable and user a script with git clone https://oauth:[email protected]/user/repo.git or just add the token itself to a script. Underrated answer here. – Myasthenia 9/10, 2021 at 2:27

I get ` remote: Invalid username or password` when using an organization repo :( git clone https://oauth2:[email protected]/MyOrg/repo.git – Repel 12/1, 2022 at 8:56

@AKingscote, please check if your key is correct and not expired. – Quyenr 17/1, 2022 at 9:37

token starting with ghp seems not be a new fine grained token, ghp is for classic token, which is easy to use but some orga disable it for security concern. The new fine grained token starts with github_pat_ where I have pain to use it even for git clone – Aphrodisiac 28/11, 2023 at 14:28

Do whatever works for you from these two choices

In your terminal

$ git clone your_repo_url Username:your_token Password:

... there is no password

In your git client app

i.e. Sourcetree, GitKraken, and the GitHub client.

Enter your repo_url (obvsiously without the '$ git clone part')

Username:your_token Password:

... there is no password

OR i.e. in Sourcetree, open preferences and then go to advanced, enter the hostname (i.e. www.x.com) and userName (i.e. your_token)

👍

Headquarters answered 4/2, 2019 at 10:52 Comment(2)

Using token as username worked for me on windows – Plague 7/12, 2021 at 16:13

I had to use my real username as username and token as a password, not username as of now, maybe I had initially some redundant space in it, or it takes a little while, while the token activation takes places – Aho 26/1, 2022 at 11:56

go to https://github.com/settings/tokens and generate a new token, remember to enable access to the repo, after that, you can do the following to clone the repo.

git clone https://<token>@github.com/owner/repo.git

Note: owner is your username if it's your repository else keep username of repository owner(one with all the rights of repo).

Romaine answered 31/5, 2021 at 4:45 Comment(3)

remote : repository not found – Carburize 29/8, 2021 at 9:16

this works for me. i had a dialog for it and after closing it the only way was putting the token in the url. thanks – Auld 14/12, 2021 at 13:59

It used to work fine for me with classical personal access token, but as of 18th of October, GitHub released also fine-grained personal access token and it looks like for them, you have to use git clone https://oauth2:<token>@github.com/owner/repo.git – Lepley 20/10, 2022 at 12:9

For lazy folks like future me:

Generate your "Personal access tokens (classic)" from https://github.com/settings/tokens and copy it. (This will behave like password in next steps.)
Run the following git command. It signals git to store the credentials (which will come in step 3)
```
git config --global credential.helper manager-core
git config --global credential.helper store
```
In your first clone you will be asked username and password provide your password coming from item 1 above:
```
git clone https://[email protected]/GithubUserName/repo-to-clone.git
```

For next git commands you should not be asked for credentials.

Osric answered 21/2, 2023 at 13:11 Comment(3)

Note that manager-core should be, from Git 2.39+, manager (no longer manager-core). And your second git config --global credential.helper command would override your first command anyway. – Operable 21/2, 2023 at 13:29

I can not thank enough to past me. This answer was useful 4 times within the last one month only. (I set up 4 different cloud machines, and each time I came here to do this stuff. Thank you past me, I love you!) – Osric 28/4, 2023 at 12:42

Hey past me! You are the man. I mean it; YOU ARE THE MAN! 👍 – Osric 22/10, 2023 at 12:12

Just for those who still have problem "cloning a private repository with a readonly FG token: "remote: Write access to repository not granted."

The error message is a bit misleading. In my case the issue was with the configuration:

Create a readonly token (content: readonly)
Make sure the resource owner is properly set.
For organizations, you have to complete "personal-access-tokens-onboarding".
Clone the repository using https://oauth2:[email protected]/myuser/myrepo.git (note the username, as suggested by others, it's oauth2)

With all of the above, I managed to clone a private repository with a readonly token (and no, there was no write access 🙂)

Attired answered 21/12, 2022 at 13:0 Comment(0)

As of Spring 2023, if you have your access token scopes set correctly, this is a one liner for cloning a repo (no need for any further interaction):

git clone https://ghp_foo_etc:[email protected]/bar/baz-phoenix.git

Where ghp_foo_etc is your access token. That's it! This is similar to how npm accesses code in private repos. Theres' no need to provide a user name.

I'm pretty certain its' always been so!

Decalogue answered 25/5, 2023 at 17:21 Comment(1)

Why there's so many ways to do this? Optional oauth2:, and now token first. Is there any docs for this? – Utmost 23/11, 2023 at 12:2

In .net core you can do in this way when dealing with Azure DevOps Repo:

 public void CloneRepository()
        {
            var _gitURL = "URLofGitRemoteRepository";
            var _userName = "PersonalAccessToken";
            var _pswd = ""; //Keep it blank

            var co = new CloneOptions();
            co.CredentialsProvider = (_url, _user, _cred) => new UsernamePasswordCredentials { Username = _userName, Password = _pswd };

            Repository.Clone(_gitURL, filePath, co);
        }

Rapparee answered 20/6, 2019 at 13:23 Comment(0)

For me none of the answers above worked. It turns out I had set an expiration of one month on my token so I had to recreate the token using the instructions here: https://www.shanebart.com/clone-repo-using-token/

Bluecoat answered 10/12, 2021 at 23:6 Comment(0)

You need to include a username before the token. GitHub accepts any username. oauth2 works for both GitHub and GitLab.

git clone https://oauth2:[email protected]/owner/repo.git

However including credentials in https Git URL is considered bad practice because it risks inadvert credential exposure from config files and command history.

Also, it will break when the token expires. This is as short as two hours for hosts such as GitLab and BitBucket.

More secure and more reliable is to use a credential-generating helper such as Git Credential Manager (included in Git for Windows) or git-credential-oauth (included in several Linux distributions).

The first time you authenticate, the helper opens a browser window to the host. Subsequent authentication is non interactive.

These helpers refresh expired OAuth tokens as necessary.

Thyroxine answered 20/7, 2023 at 18:44 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags