Try to do MSAL authentication in-proc on platforms and .NET runtimes where full interactive authentication is possible.

This means we don't need to build and ship a second executable on Windows and don't need to do communication over stdin/out to get the access token.

Also, this would mean that on Windows when the user is not in an interactive session (over SSH for example) then they can use the device code flow to interactively authenticate.

Add GCM Core as an experimental feature in the Git for Windows installer. We need to complete at least #112 in order to do this since Git for Windows ships a 32-bit version

Sometimes it's hard to know if GCM or Git is prompting for information. By prefixing all GCM's output to standard error with [gcm] or similar we can 'know who is talking'.

The GitHub authorizations API that is being used at the moment and will be going away.

• Deprecating OAuth Authorization API
  https://developer.github.com/changes/2020-02-14-deprecating-oauth-auth-endpoint/

All applications will need to update to use the Web application flow instead.

• Authorizing OAuth Apps - Web application flow
  https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow

There are a few important differences to consider when using Oauth tokens instead of PATs. They are very similar, but PATs are special in a few ways.

Users can generate PATs with access to their organization's repositories without the organization needing to authorize the app

We need to make sure the app is authorized so that organization owned repositories can be accessed.

PATs implicitly include the workflow scope which allows them to push GitHub Actions workflows

An Oauth app will need to explicitly request the workflow scope.

PATs can do SAML SSO authentication on demand (e.g. when user tries to clone a SAML SSO protected repository)

Users will need to do the SAML SSO when they authenticate using the web-flow. If they don't do this, they will need an easy way to re-authenticate and do the SAML SSO dance.

Any number of PATs can be created with the same set of Oauth scopes

Oauth apps are limited to 10 tokens per user per set of scopes. If a user authenticates on many machines, their older tokens will expire. We need to ensure that this is handled gracefully.

PATs can easily be generated for a specific named user

If the user is already logged into GitHub with their browser, it can be painful to authenticate for a different user. They might need a way to specify which user they want to initiate the web-flow for (I believe it is possible to pass a username to the web-flow URL).

A PAT can be passed directly into the current UI as a password

Might users sometimes want to use a PAT that has been generated manually? Say they want to use different scopes or the PAT has been given to them by someone else.

Notarization fails on macOS because during code signing with MicroBuild we are losing the "Hardened Runtime" flag, and the .NET Core runtime Mach-O binaries are not code signed.

We have disabled the notarization step in release builds until this is fixed.

When the Java-based Git Credential Manager for Mac and Linux is installed a git-credential-manager symlink exists in /usr/local/bin. The Mac installer script does nothing if any such file exists. We should probably make some attempt at either warning the user they have the Java GCM installed or otherwise just walk over that symlink (typically the Java GCM is installed via Homebrew which can re-link if needed).

Which version of GCM Core are you using?

From a terminal, run git-credential-manager-core version and paste the output.

Git Credential Manager version 2.0.164-beta+1264f234c7 (Windows, .NET Framework 4.0.30319.42000)

Which Git host provider are you trying to connect to?

• Azure DevOps
• Azure DevOps Server (TFS/on-prem)
• GitHub
• GitHub Enterprise
• Bitbucket
• Other - please describe

Can you access the remote repository directly in the browser using the remote URL?

From a terminal, run git remote -v to see your remote URL.

origin https://github.com/javaniecampbell/one-ui-tailwind.git

• Yes - as long as I am signed to my GitHub a/c as it is a private repo
• No, I get a permission error
• No, for a different reason - please describe

[Azure DevOps only] What format is your remote URL?

• Not applicable
• https://dev.azure.com/`{org}`/...
• https://{org}@dev.azure.com/{org}/...
• https://{org}.visualstudio.com/...

[Azure DevOps only] If the account picker shows more than one identity as you authenticate, check that you selected the same one that has access on the web.

• Not applicable
• I only see one identity
• I checked each identity and none worked

Expected behavior

I am authenticated and my Git operation completes successfully.

Actual behavior

After attempting to do a git operation e.g. git pull it threw an error as shown below:

$ git pull
git: 'credential-manager-core' is not a git command. See 'git --help'.
git: 'credential-manager-core' is not a git command. See 'git --help'.
Already up to date.

Logs

Set the environment variables GCM_TRACE=1 and GIT_TRACE=1 and re-run your Git command. Review and redact any private information and attach the log.

$ git push
git: 'credential-manager-core' is not a git command. See 'git --help'.
git: 'credential-manager-core' is not a git command. See 'git --help'.
Enumerating objects: 7, done.
Counting objects: 100% (7/7), done.
Delta compression using up to 8 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 368 bytes | 92.00 KiB/s, done.
Total 4 (delta 3), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (3/3), completed with 3 local objects.
To https://github.com/javaniecampbell/one-ui-tailwind.git
   cfb7ae0..6a555ed  master -> master

Feature description

Rather than having platform/distribution-mechanism specific post-install configuration logic, we should just move this to .NET code, and introduce some new CLI verbs that can be easily invoked from the installers etc.

• configure/install:
  • Configure ourselves as the credential helper, ideally in user/global config.
• unconfigure
  • Remove GCM from the configured credential helper. Should we reset to previous or platform default? Just remove our setting?
• uninstall
  • Invoke the uninstall script on Mac and invoke the Inno uninstaller on Windows?

Feature description

The GitHub Provider supports cloud github.com URLs but can also be configured to support GitHub Enterprise instances with their random URLs via the GCM_PROVIDER/credential.provider configurations.

e.g.

git config --global credential.ghe.contoso.com.authority github

Although it isn't documented it is already possible to do the following for Bitbucket Server URLs:

git config --global credential.bbs.contoso.com.authority bitbucket

This does actually work-ish.
The URL is correctly identified and the Bitbucket Provider is used but unfortunately everything then falls apart because:

• Bitbucket Server does not support OAuth 2.0
• Bitbucket Server does not share a common REST API with bitbucket.org
• Bitbucket Server does not include the username in HTTP Git URLs
• Bitbucket Server does not support 2FA out of the box

Additionally, but not blocking

• Bitbucket Server does not support 2FA
• Bitbucket Server does not include usernames in the HTTP Git URLs

So to support Bitbucket Server in the simplest way the existing Bitbucket Provider would need to be extended to support the following:

• Identify URL hosts other than bitbucket.org as Bitbucket Server hosts
• Assume the Bitbucket Server does not support 2FA, therefore bypass any OAuth 2.0 requests and only support Basic Auth
• Store Bitbucket Server credentials with a key like git:https://bbs.contoso.com as well as git:https://[email protected]

By storing credentials under git:https://bbs.contoso.com it has the potential for a user of multiple accounts to keep overwriting the credentials but I think that can be safely ignored as

• that is already an issue with the GitHub Provider AFAICS
• very few users will actually have multiple user accounts on a given server.

I have a proof of concept here: master...itofinity:issue/support-bbs-basicauth

Which version of GCM Core are you using?

Git Credential Manager version 2.0.164-beta+1264f234c7 (Windows, .NET Framework 4.0.30319.42000)

(Can also reproduce on macOS)

Which Git host provider are you trying to connect to?

HTTP(S) basic authentication

Expected behavior

>git-credential-manager-core store
protocol=https
host=host.name
username=foo
password=bar

>git-credential-manager-core get
protocol=https
host=host.name

protocol=https
host=host.name
username=foo
password=bar

Actual behavior

>git-credential-manager-core get
protocol=https
host=host.name

Enter credentials for 'https://host.name/'

This case of needing to fill the username is very common. For example, the series of interactions with Git described above happens if the remote is defined as https://host.name/path.git (as opposed to https://[email protected]/path.git). That means that, in practice, GCM Core appears to the user not to be able save credentials for https remotes without username@ in the URI (actually, they do get saved just fine, but under a different key than the one that’s used to try to retrieve them the next time).

Possible resolutions

The quandary arises from the implicit design assumption that any get request carries enough information to generate a unique, stable credential key that can be directly retrieved from the store. In the case of basic authentication without knowledge of a username, that doesn't hold.

In GCM for Mac and Linux the targetURI is always constructed, i.e. both retrieved and saved, as protocol://host (never including the username). This implementation works, but removes some flexibility (e.g. the option to save credentials for different usernames on the same host and distinguish among them by specifying username@ in the remote URL).

In GCM for Windows, this case is handled by setting CREDUI_FLAGS_PERSIST, so that credui itself saves the credential with label git:https://hostname (independent of any invocation of git-credential-manager store that might follow). But that approach doesn't seem to generalize well: for example, on macOS, we don't invoke a system UI for collecting credentials at all, so there isn't an analogous flag.

Of course, we could still store the credential this way after collecting it from stdin. But that creates a leaky abstraction: git doesn't expect anything permanent to happen on a get, only a store, so we are kind of going behind its back. In practice, that seems to be a contributor to problems with zombie credentials.

Legacy wincred enumerates through the credentials in the store and checks each one to see if it matches the pieces of information it does have. It seems like that's the right approach here, but it requires extending the credential store interface to have something like a GetAll or Enumerate method. I'd like to submit a patch to implement this change soon, but wanted to document this first and see if the maintainers had any input.

We currently do not have any GUI for Bitbucket and GitHub on macOS (and Linux) and require a TTY be present and available.

IDEs and other graphical-only tools that shell out to git will either hang (if they fail to set GIT_TERMINAL_PROMPT to 0) or error immediately as there is not TTY available and there are no supported GUI prompts.

The current Windows-only GUIs for Bitbucket and GitHub are written in WPF/XAML. We should be able to port these to Avalonia with minimal effort and get Mac and Linux GUIs "for free".

Because Git redirects the standard input/output streams of GCM we cannot use Console.ReadKey.

We should implement some native interop to get to the actually connected TTY (/dev/tty on UNIX, and CONIN$/CONOUT$ on Windows) as GCM Windows, and Git itself does.

The Windows Microsoft Authentication helper currently captures the ADAL logging information when GCM_TRACE=1. The macOS version currently does not. We should ensure parity here.

Feature description

$ git credential-manager-core --help
No manual entry for git-credential-manager-core

Either a real man page or at least link to the online documentation.

We may want to look at directly using the access tokens (ATs) from MSAL/ADAL rather than exchanging them for Azure DevOps personal access tokens (PATs).

There were concerns about the maximum supported size of a HTTP request header with cURL in GCM Windows which meant we opted for (compact) PATs. This may no longer be a limitation.

A few other possible (performance) concerns:

• Since we'd be asking MSAL/ADAL to get the AT each time, we're now shelling out to the helper proc for every Git auth request whereas currently we just P/Invoke to Keychain/WinCredAPI.
• PATs 'just work' and we don't need to know or resolve the tenant for the Azure DevOps organisation, which would now require another web call for every Git auth request. We'd rather not have to introduce an org-tenant cache (people can switch an org's tenant as a common 'growing up' scenario from MSA to AAD).
• If we move to always calling MSAL/ADAL and we're sharing the Visual Studio token cache files we might be running into contention for that file/locking the cache since GCM does not live for a long time (we always must read/write to the file for each call), and many applications call/spawn Git in the background (see VSCode's 'auto-fetch every 10 seconds' feature).
• The Azure DevOps server might take longer to validate the AT is valid vs a PAT, or there may be increased load server-side (if an AAD<->Azure DevOps call is required to do this).

We are currently using the same client ID as Visual Studio for ADAL (this is what GCM Windows also used). We should move to our own client ID, and have it join the Microsoft FoCI.

Question(s): should we join FoCI and become a 1st party app or not? Is consent not something we want to show?

We hope to make a Linux version of GCM Core. Since the tool is built on .NET Core, most of our logic will carry over automatically. There are a few platform-specific bits to handle, though:

1. How should we store secrets on Linux? We need to integrate directly with something here, and the answer might be obvious to an expert.
2. How does the user experience change? To start, we can have command-line and browser prompts only. Do we need to do something special on Linux to open a browser? When we update the GUI components to something like Avalonia, will Linux GUI work immediately?
3. How to install? Likely, we will want to ship a .deb package so users can install via apt-get the same way macOS users can install via brew.

These are all important, technically challenging items.

Update!

We have a pre-release of a GCM Core that supports Linux! 🥳 See this comment below for more information.

Feature description

Bitbucket Server Datacenter supports SAML authentication against an external IDP.

This functionality can also be provided to regular Bitbucket Server by several marketplace plugins.

It would be great if GCMC could include support for this, in order to avoid the need to manually create user tokens for git client authentication.

Thank you!

GCM Windows supports BitBucket as a Git host provider.. GCM Core should provide some support for this provider.

On Windows there is custom Windows-only UI that could/should be ported. On macOS we can use a TTY-based prompt (like we use for GitHub currently) for now.

Similar to the GCM Windows installer, and GCM Core macOS package, we need a way to install GCM Core on Windows platforms.

Looks like the code that was copied from the .NET runtime had the flag check inverted!

See the issue: dotnet/runtime#1724
..and their fix PR: dotnet/runtime#32947

A small test app showing the value of IsDesktopSession..
In an SSH session:

In an interactive session:

Feature description

Homebrew is a really nice way to manage installing and updating applications on macOS. Is there any way to be able to install this that way?

Which version of GCM Core are you using?

From a terminal, run git-credential-manager-core version and paste the output.

Git Credential Manager version 2.0.194-beta+819e6bc120 (Windows, .NET Framework 4.0.30319.42000)
git version 2.28.0.windows.1

Which Git host provider are you trying to connect to?

• Azure DevOps
• Azure DevOps Server (TFS/on-prem)
• GitHub
• GitHub Enterprise
• Bitbucket
• Other - please describe

Can you access the remote repository directly in the browser using the remote URL?
It need to be an repo needed auth(or test push instead?)

From a terminal, run git remote -v to see your remote URL.

https://github.com:443/yyjdelete/zzzz
or any other private repository with non-default port (http or https), the above one with 443 is just used as an quick test.

• Yes
• No, I get a permission error
• No, for a different reason - please describe

When I try to access an repository with port in url which need auth , I see an new fatal shown after update to git-for-windows 2.28 and switch to GCM-Core(with credential.helper=manager-core)

Expected behavior

No fatal message should be shown.

Actual behavior

fatal:invalid URI: failed to parse host name.

Logs

Set the environment variables GCM_TRACE=1 and GIT_TRACE=1 and re-run your Git command. Review and redact any private information and attach the log.

git clone https://github.com:443/yyjdelete/zzzz 3
16:58:07.131533 exec-cmd.c:237          trace: resolved executable dir: D:/Tools/Git/mingw64/bin
16:58:07.133519 git.c:444               trace: built-in: git clone https://github.com:443/yyjdelete/zzzz 3
Cloning into '3'...
16:58:07.152508 run-command.c:663       trace: run_command: git remote-https origin https://github.com:443/yyjdelete/zzzz
16:58:07.176495 exec-cmd.c:237          trace: resolved executable dir: D:/Tools/Git/mingw64/libexec/git-core
16:58:07.177511 git.c:704               trace: exec: git-remote-https origin https://github.com:443/yyjdelete/zzzz
16:58:07.177511 run-command.c:663       trace: run_command: git-remote-https origin https://github.com:443/yyjdelete/zzzz
16:58:07.196501 exec-cmd.c:237          trace: resolved executable dir: D:/Tools/Git/mingw64/libexec/git-core
16:58:08.975515 run-command.c:663       trace: run_command: 'git credential-manager-core get'
16:58:09.046435 exec-cmd.c:237          trace: resolved executable dir: D:/Tools/Git/mingw64/libexec/git-core
16:58:09.048434 git.c:704               trace: exec: git-credential-manager-core get
16:58:09.048434 run-command.c:663       trace: run_command: git-credential-manager-core get
16:58:09.101391 ...\Application.cs:69   trace: [RunInternalAsync] Git Credential Manager version 2.0.194-beta+819e6bc120 (Windows, .NET Framework 4.0.30319.42000) 'get'
16:58:09.104401 ...\Command.cs:63       trace: [ExecuteAsync] Start 'get' command...
fatal: 无效的 URI: 未能分析主机名。
16:58:09.149363 run-command.c:663       trace: run_command: bash -c 'cat >/dev/tty && read -r line </dev/tty && echo "$line"'
Username for 'https://github.com:443': git

UPDATED:
Looks like the same as microsoft/Git-Credential-Manager-for-Windows#271 in old GCM(non-core version)

Hi,

I am using traditional git with gitlab, github, bitbucket. From those only github is having ssh access. I do have multiple accounts on other sites so I normally go with https access. More flexible for me. It never gives me any issue.

But recently I needed to clone site from azure dev ops. And that was not working with traditional git. So, I follow up the issue and tried the new beta version. It work with Azure dev ops but it did broke with every other git provider. I did mention this in issue .

cc/ @mjcheetham

Add support for Gitea - https://gitea.io/en-us/

All dSYM binary symbols and managed PDB files should be collected and archived.

GCM Windows uses a WPF-based credential capture prompt on Windows. GCM Core currently only supports a TTY-based credential prompt on macOS and Windows.

We should port the WPF-based prompt for Windows platforms (leaving macOS using the TTY prompt for now).

When I try to push to https://dev.azure.com/git-for-windows/git-sdk-64, I am asked to sign in with my account (which is an MSA one). The dialog then complains "You can't sign in here with a personal account. Use your work or school account instead." (But obviously, when I do use my work account, the push fails due to lack of permissions.)

We currently only build a 64-bit version of GCM Core for Windows. We should also build a 32-bit version.
LibGit2 is our only native dependency.

Update the certificates we use to sign binaries and the Windows installer.

The Microsoft Authenticode certificate should be replaced with Microsoft400 according to an internal migration table.

Also see microsoft/VFSForGit#1312 where the same change was required.

GCM for Windows has an important setting for using Git on headless environments:

GCM_INTERACTIVE and credential.interactive

These are important to bring over so we don't break headless scenarios, as well as being able to forcibly disable interactive auth in certain scenarios.

At the moment GCM Core can shell out to external 'helper' applications that display authentication GUIs to capture input and notify the user of an OAuth flow. The name of the helpers are hard-coded, and the binaries must exist next to the main GCM Core binary on disk. This makes it hard to replace or add helpers not shipped in-box.

Proposal

1. Introduce a configurable 'search path' setting (environment variable?) that external helpers can plug in to let GCM Core discover them.
2. Add a setting to override the name of the UI helper for each host provider (e.g., credential.githubAuthHelper = gh-cl-helper)
3. 3rd party helpers can add themselves on the 'helper search path' and set the credential.*AuthHelper option

Issues

1. Malicious apps could insert themselves in the search path and capture/send-home input secrets. How can we verify or trust which application we're launching? Is this onus on the user?
2. Multiple helpers could start fighting over the order of the search path setting, which might be confusing/annoying for users. Do we need to take more control over this? git-credential-manager-core install-plugin <x>? Too complicated?

Feature description

In GCM Windows it is possible to set the chosen authority to any of the available options, rather than the 'auto' feature which uses the standard input dictionary from Git to determine the correct one.

This is a useful feature to be able to specify and support GitHub Enterprise customers who wish to have their servers detected as GitHub and not basic/services by the generic provider.

The existing configuration for GCM Windows users is...

[credential "mygheserver.com"]
    authority = GitHub

We should either take the same configuration values, or create our own key credential.host/provider whilst taking into account the legacy 'authority' values.

The HostProviderRegistry would be the appropriate component to perform this check and lookup.

I was testing GCM Core on my Linux machine, when I ran into a couple errors:

stolee@stolee-linux-metal:/_git/office/src$ GCM_TRACE=1 git-credential-manager-core configure
13:04:35.696346 ...er/Application.cs:69 trace: [RunInternalAsync] Git Credential Manager version 2.0.214-beta+2e9919d0b8 (Linux, .NET Core 3.1.7) 'configure'
13:04:35.719149 ...rationService.cs:124 trace: [RunAsync] Configuring component 'Git Credential Manager'...
Configuring component 'Git Credential Manager'...
fatal: Index was outside the bounds of the array.

stolee@stolee-linux-metal:/_git/office/src$ git config --unset credential.helper

stolee@stolee-linux-metal:/_git/office/src$ GCM_TRACE=1 git-credential-manager-core configure
13:04:57.168842 ...er/Application.cs:69 trace: [RunInternalAsync] Git Credential Manager version 2.0.214-beta+2e9919d0b8 (Linux, .NET Core 3.1.7) 'configure'
13:04:57.192033 ...rationService.cs:124 trace: [RunAsync] Configuring component 'Git Credential Manager'...
Configuring component 'Git Credential Manager'...
fatal: Failed to get Git configuration multi-valued entry 'credential.helper' with value regex '.*'. Exit code '1' (level=All)

The .NET Framework GCM supports being used from behind a proxy. We should look at what is required (if anything) to allow these customer scenarios to work with GCM Core.

The current preview cannot be used on Mac because it is not signed correctly. (at least for Catalina)

The current Windows installer just drops the GCM Core binaries in %ProgramFiles%. We should also look at setting the credential.helper configuration entry, as well as the required useHttpPath = true entry for dev.azure.com remotes.

A few options include:

• Replicate GCM Windows and introduce an install command that discovers all Git installations (including msys installs?) and copies itself into the directory, and sets the credential.helper = manager
• Set the current user's ~/.gitconfig to:

[credential]
    helper = # empty value first to reset the helper list from --system
    helper = <path/to/gcmcore>

• Put %ProgramFiles%\Git Credential Manager on the %PATH%? (problem: how do we support side-by-side GCM Core and GCM Windows if they're both called git-credential-manager.exe?)
• Something else?

These options require answering the question about should GCM Core be a machine-wide or user-scoped install?

Feature description

With GCM Core on macOS, you cannot paste in a password into the password field. This makes it very difficult to use with password managers.

We should include the workflow scope for PATs and OAuth tokens created for GitHub or else users would not be able to push packs that include new workflow files.

According to the documentation (step 3-4), calls to git-credential fill should immediately be followed by git-credential approve or reject depending on if the returned credentials were used successfully.

However if there are concurrent processes that have called fill but not yet approve or reject, there's a gap when another (faster) process could have completed the fill+approve combination and have stored a different credential value than what the first process got from fill.

If the first process fails and calls reject, the valid credential as approve-ed by the second process would be deleted.

Git itself calls git-credential reject (which then calls us) passing in the username/password it got from fill on failure, meaning we could perform a sanity check and only erase the stored credential in the OS credential store when the U/P values match what the caller expected to be there.

When an organisation has enabled and requires SAML SSO in order to access their repos, and we are using PATs, it is not possible to use the generated PAT because it is lost/never stored by GCM Core.

Normally we'd expect Git to tell us explicitly if a given PAT should be stored or erased after we return from a get.
However when a PAT requires SSO be enabled manually on the web, GitHub returns a 403 to which Git does nothing except print the remote: SSO required message.

Ideally we would want Git to tell us about the 403 and that the PAT was for a valid user, but lacked the specific permissions. That way we could store it and direct the user to update/change the PAT permissions, or even fix them automatically for them.

In the meantime, to workaround this we should store the PAT once we generate it. This means that when users who hit this scenario, they can come back and retry with the same PAT after enabling SSO permissions.

This workaround does break another scenario however - if the user has manually changed the permissions of the generated PAT in the web, then GCM will not prompt to generate another PAT since it always finds the existing 'bad' PAT and Git never tells us to erase it. Since this is a scenario where the user has 'done the wrong thing', it is a smaller and more unlikely situation than a user needing the SAML SSO approve their PATs.

Follow up with the Azure DevOps identity team to ensure we're handling the headers returned on the HEAD request correctly.

Based on changes made in the original Windows-only GCM, we should be using the common endpoint authority when we have an MSA backed Azure Repos organisation.

I.e., https://login.microsoftonline.com/common rather than https://login.microsoftonline.com/live.com

Currently it is cumbersome to handle multiple GitHub credentials with the github provider. One solution to this would be to include the username in the target name, just like it is included for the generic provider.

Relevant discussion: microsoft/Git-Credential-Manager-for-Windows#749

PR to fix the same issue in Git Credential Manager for Windows: microsoft/Git-Credential-Manager-for-Windows#891

Thanks much for considering this!

We should move from the ADAL authentication library to using the latest MSAL, on both Windows and macOS.

Introduce a component which provides native/system UI prompts.

This feature will allow basic authentication when the TTY is not available (such as when run from within a GUI app like Visual Studio).

Which version of GCM Core are you using?

2.0.157-beta+b11949c7a5 (macOS, .NET Core 3.1.4)

Which Git host provider are you trying to connect to?

• Bitbucket

Can you access the remote repository directly in the browser using the remote URL?

• Yes

Expected behavior

I am authenticated and my Git operation completes successfully.

Actual behavior

I was getting following:

fatal: Error converting value {null} to type 'System.Boolean'. Path 'has_2fa_enabled', line 1, position 95.
fatal: Null object cannot be converted to a value type.

followed by password prompt:
Password for 'https://***********@bitbucket.org':

instead of being authenticated automatically.

After that, I have set up 2FA for that account, repeated the git pull command, was redirected to browser to perform (two-factor) authentication and authorization, and after that all commands were automatically authenticated.

Git remote format is: https://********@bitbucket.org/*******/*******.git

Logs

$ GIT_TRACE=1 GCM_TRACE=1 git pull
13:19:54.307187 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Library/Developer/CommandLineTools/usr/bin/git
13:19:54.307700 exec-cmd.c:236          trace: resolved executable dir: /Library/Developer/CommandLineTools/usr/bin
13:19:54.308246 git.c:419               trace: built-in: git pull
13:19:54.308710 run-command.c:643       trace: run_command: git fetch --update-head-ok
13:19:54.310936 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Library/Developer/CommandLineTools/usr/libexec/git-core/git
13:19:54.311468 exec-cmd.c:236          trace: resolved executable dir: /Library/Developer/CommandLineTools/usr/libexec/git-core
13:19:54.311945 git.c:419               trace: built-in: git fetch --update-head-ok
13:19:54.313162 run-command.c:643       trace: run_command: GIT_DIR=.git git-remote-https origin https://***********@bitbucket.org/********/*********.git
13:19:54.317497 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Library/Developer/CommandLineTools/usr/libexec/git-core/git-remote-https
13:19:54.318081 exec-cmd.c:236          trace: resolved executable dir: /Library/Developer/CommandLineTools/usr/libexec/git-core
13:19:55.250236 run-command.c:643       trace: run_command: 'git credential-manager-core get'
13:19:55.257549 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Library/Developer/CommandLineTools/usr/libexec/git-core/git
13:19:55.258226 exec-cmd.c:236          trace: resolved executable dir: /Library/Developer/CommandLineTools/usr/libexec/git-core
13:19:55.258785 git.c:670               trace: exec: git-credential-manager-core get
13:19:55.258813 run-command.c:643       trace: run_command: git-credential-manager-core get
13:19:55.341929 ...er/Application.cs:69 trace: [RunInternalAsync] Git Credential Manager version 2.0.157-beta+b11949c7a5 (macOS, .NET Core 3.1.4) 'get'
13:19:55.352523 ...mmands/Command.cs:63 trace: [ExecuteAsync] Start 'get' command...
13:19:55.375781 ...mmands/Command.cs:74 trace: [ExecuteAsync] Detecting host provider for input:
13:19:55.377353 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	protocol=https
13:19:55.377399 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	host=bitbucket.org
13:19:55.377408 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	username=***********
13:19:55.381046 ...nterop/LibGit2.cs:30 trace: [GetConfiguration] Opening default Git configuration...
13:19:55.381579 ...nterop/LibGit2.cs:46 trace: [GetConfiguration] Adding local configuration from repository '/***********/.git/'...
13:19:55.382303 ...terop/LibGit2.cs:111 trace: [.ctor] Creating Git configuration snapshot...
13:19:55.382678 ...terop/LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
13:19:55.383643 ...terop/LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
13:19:55.384839 ...terop/LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.provider'...
13:19:55.385517 ...terop/LibGit2.cs:208 trace: [TryGetValue] No entry found.
13:19:55.385711 ...terop/LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
13:19:55.385763 ...terop/LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
13:19:55.385788 ...terop/LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.authority'...
13:19:55.385802 ...terop/LibGit2.cs:208 trace: [TryGetValue] No entry found.
13:19:55.385810 ...viderRegistry.cs:129 trace: [GetProvider] Performing auto-detection of host provider.
13:19:55.386649 ...mmands/Command.cs:77 trace: [ExecuteAsync] Host provider 'Bitbucket' was selected.
13:19:55.389784 ...etHostProvider.cs:68 trace: [GetCredentialAsync] Checking for refresh token with key 'git:https://***********@bitbucket.org/refresh_token'...
13:19:55.411697 ...etHostProvider.cs:78 trace: [GetCredentialAsync] Checking for credentials with key 'git:https://***********@bitbucket.org'...
13:19:55.422344 ...etHostProvider.cs:95 trace: [GetCredentialAsync] Checking if two-factor requirements for stored credentials...
13:19:55.433406 ...tbucketRestApi.cs:74 trace: [GetUserInformationAsync] HTTP: GET https://api.bitbucket.org/2.0/user
13:19:55.434828 ...pClientFactory.cs:53 trace: [CreateClient] Creating new HTTP client instance...
13:19:55.436256 ...terop/LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
13:19:55.436393 ...terop/LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
13:19:55.436418 ...terop/LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.httpsProxy'...
13:19:55.436461 ...terop/LibGit2.cs:208 trace: [TryGetValue] No entry found.
13:19:55.436479 ...terop/LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
13:19:55.436539 ...terop/LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
13:19:55.436553 ...terop/LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.httpProxy'...
13:19:55.436569 ...terop/LibGit2.cs:208 trace: [TryGetValue] No entry found.
13:19:55.436586 ...terop/LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
13:19:55.436634 ...terop/LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
13:19:55.436647 ...terop/LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'http.proxy'...
13:19:55.436662 ...terop/LibGit2.cs:208 trace: [TryGetValue] No entry found.
13:19:55.438092 ...terop/LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
13:19:55.438212 ...terop/LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
13:19:55.438268 ...terop/LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'http.sslVerify'...
13:19:55.438303 ...terop/LibGit2.cs:208 trace: [TryGetValue] No entry found.
13:19:56.513255 ...tbucketRestApi.cs:77 trace: [GetUserInformationAsync] HTTP: Response 200 [OK]
fatal: Error converting value {null} to type 'System.Boolean'. Path 'has_2fa_enabled', line 1, position 95.
fatal: Null object cannot be converted to a value type.
Password for 'https://***********@bitbucket.org':
13:20:02.439071 run-command.c:643       trace: run_command: 'git credential-manager-core store'
13:20:02.446180 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Library/Developer/CommandLineTools/usr/libexec/git-core/git
13:20:02.446747 exec-cmd.c:236          trace: resolved executable dir: /Library/Developer/CommandLineTools/usr/libexec/git-core
13:20:02.447161 git.c:670               trace: exec: git-credential-manager-core store
13:20:02.447182 run-command.c:643       trace: run_command: git-credential-manager-core store
13:20:02.536651 ...er/Application.cs:69 trace: [RunInternalAsync] Git Credential Manager version 2.0.157-beta+b11949c7a5 (macOS, .NET Core 3.1.4) 'store'
13:20:02.549673 ...mmands/Command.cs:63 trace: [ExecuteAsync] Start 'store' command...
13:20:02.569950 ...mmands/Command.cs:74 trace: [ExecuteAsync] Detecting host provider for input:
13:20:02.571532 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	protocol=https
13:20:02.571579 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	host=bitbucket.org
13:20:02.571587 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	username=***********
13:20:02.571609 ...mmands/Command.cs:75 trace: [ExecuteAsync] 	password=********
13:20:02.575107 ...nterop/LibGit2.cs:30 trace: [GetConfiguration] Opening default Git configuration...
13:20:02.575680 ...nterop/LibGit2.cs:46 trace: [GetConfiguration] Adding local configuration from repository '/***********/.git/'...
13:20:02.576407 ...terop/LibGit2.cs:111 trace: [.ctor] Creating Git configuration snapshot...
13:20:02.576729 ...terop/LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
13:20:02.577765 ...terop/LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
13:20:02.579092 ...terop/LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.provider'...
13:20:02.579774 ...terop/LibGit2.cs:208 trace: [TryGetValue] No entry found.
13:20:02.579981 ...terop/LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
13:20:02.580036 ...terop/LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
13:20:02.580063 ...terop/LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.authority'...
13:20:02.580084 ...terop/LibGit2.cs:208 trace: [TryGetValue] No entry found.
13:20:02.580098 ...viderRegistry.cs:129 trace: [GetProvider] Performing auto-detection of host provider.
13:20:02.580969 ...mmands/Command.cs:77 trace: [ExecuteAsync] Host provider 'Bitbucket' was selected.
13:20:02.583322 ...tHostProvider.cs:182 trace: [StoreCredentialAsync] Storing credential with key 'git:https://***********@bitbucket.org'...
13:20:02.625270 ...tHostProvider.cs:184 trace: [StoreCredentialAsync] Credential was successfully stored.
13:20:02.625349 ...mmands/Command.cs:81 trace: [ExecuteAsync] End 'store' command...
13:20:02.631903 run-command.c:643       trace: run_command: git rev-list --objects --stdin --not --all --quiet
13:20:02.639686 run-command.c:643       trace: run_command: git rev-list --objects --stdin --not --all --quiet
13:20:02.641667 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Library/Developer/CommandLineTools/usr/libexec/git-core/git
13:20:02.642149 exec-cmd.c:236          trace: resolved executable dir: /Library/Developer/CommandLineTools/usr/libexec/git-core
13:20:02.642593 git.c:419               trace: built-in: git rev-list --objects --stdin --not --all --quiet
13:20:02.647721 run-command.c:1577      run_processes_parallel: preparing to run up to 1 tasks
13:20:02.647741 run-command.c:1609      run_processes_parallel: done
13:20:02.647758 run-command.c:643       trace: run_command: git gc --auto
13:20:02.649905 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Library/Developer/CommandLineTools/usr/libexec/git-core/git
13:20:02.650421 exec-cmd.c:236          trace: resolved executable dir: /Library/Developer/CommandLineTools/usr/libexec/git-core
13:20:02.650897 git.c:419               trace: built-in: git gc --auto
13:20:02.651931 run-command.c:643       trace: run_command: git merge FETCH_HEAD
13:20:02.654003 exec-cmd.c:139          trace: resolved executable path from Darwin stack: /Library/Developer/CommandLineTools/usr/libexec/git-core/git
13:20:02.654557 exec-cmd.c:236          trace: resolved executable dir: /Library/Developer/CommandLineTools/usr/libexec/git-core
13:20:02.655036 git.c:419               trace: built-in: git merge FETCH_HEAD
Already up to date.
$ 

We are currently not actually using the .NET Core on Windows. We should actually use the .NET Core runtime!

The reason we are currently using .NET Framework instead is because MSAL does (didn't) support embedded browser on Windows when targeting .NET Core or .NET Standard. We can use the UseCustomWebUi extension point to restore this functionality.

Which version of GCM Core are you using?

Git Credential Manager version 2.0.194-beta+819e6bc120 (Windows, .NET Framework 4.0.30319.42000)

Which Git host provider are you trying to connect to?

• Azure DevOps
• Azure DevOps Server (TFS/on-prem)
• GitHub
• GitHub Enterprise
• Bitbucket
• Other - Self hosted Gitea

Can you access the remote repository directly in the browser using the remote URL?

• Yes
• No, I get a permission error
• No, for a different reason - please describe

Expected behavior

I am authenticated and my Git operation completes successfully.

Actual behavior

It authenticates, but It always ask for password using dialog.

The credential is saved to Credential Manager, but it keep asking for user and password if I run the command again.

Logs

First run

PS> git pull
14:33:12.384476 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
14:33:12.387491 git.c:444 trace: built-in: git pull
14:33:12.389490 run-command.c:663 trace: run_command: git fetch --update-head-ok
14:33:12.401132 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:33:12.403147 git.c:444 trace: built-in: git fetch --update-head-ok
14:33:12.407148 run-command.c:663 trace: run_command: GIT_DIR=.git git remote-https origin https://git.mps.com.br/carlos.beppler/containers
14:33:12.419111 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:33:12.421125 git.c:704 trace: exec: git-remote-https origin https://git.mps.com.br/carlos.beppler/containers
14:33:12.421125 run-command.c:663 trace: run_command: git-remote-https origin https://git.mps.com.br/carlos.beppler/containers
14:33:12.434093 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:33:12.629077 run-command.c:663 trace: run_command: 'git credential-manager-core get'
14:33:12.695540 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:33:12.697540 git.c:704 trace: exec: git-credential-manager-core get
14:33:12.697540 run-command.c:663 trace: run_command: git-credential-manager-core get
14:33:12.760548 ...\Application.cs:69 trace: [RunInternalAsync] Git Credential Manager version 2.0.194-beta+819e6bc120 (Windows, .NET Framework 4.0.30319.42000) 'get'
14:33:12.764550 ...\Command.cs:63 trace: [ExecuteAsync] Start 'get' command...
14:33:12.773550 ...\Command.cs:74 trace: [ExecuteAsync] Detecting host provider for input:
14:33:12.775551 ...\Command.cs:75 trace: [ExecuteAsync] protocol=https
14:33:12.775551 ...\Command.cs:75 trace: [ExecuteAsync] host=git.mps.com.br
14:33:12.778550 ...\LibGit2.cs:30 trace: [GetConfiguration] Opening default Git configuration...
14:33:12.780551 ...\LibGit2.cs:46 trace: [GetConfiguration] Adding local configuration from repository 'C:/Users/myself/containers/.git/'...
14:33:12.781550 ...\LibGit2.cs:111 trace: [.ctor] Creating Git configuration snapshot...
14:33:12.783552 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:33:12.784552 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:33:12.785552 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.provider'...
14:33:12.786571 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:33:12.787563 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:33:12.787563 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:33:12.787563 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.authority'...
14:33:12.788551 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:33:12.788551 ...viderRegistry.cs:129 trace: [GetProvider] Performing auto-detection of host provider.
14:33:12.790552 ...\Command.cs:77 trace: [ExecuteAsync] Host provider 'Generic' was selected.
14:33:12.793552 ...\HostProvider.cs:104 trace: [GetCredentialAsync] Looking for existing credential in store with key 'git:https://git.mps.com.br/'...
14:33:12.794145 ...\HostProvider.cs:109 trace: [GetCredentialAsync] No existing credential found.
14:33:12.795155 ...\HostProvider.cs:112 trace: [GetCredentialAsync] Creating new credential...
14:33:12.796158 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:33:12.797156 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:33:12.797156 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.allowWindowsAuth'...
14:33:12.797156 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:33:12.798164 ...icHostProvider.cs:88 trace: [GenerateCredentialAsync] Windows Integrated Authentication detection has been disabled.
14:33:12.798164 ...icHostProvider.cs:91 trace: [GenerateCredentialAsync] Prompting for basic credentials...
14:33:12.799159 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:33:12.799159 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:33:12.799159 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.interactive'...
14:33:12.800156 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:33:18.560819 ...\HostProvider.cs:114 trace: [GetCredentialAsync] Credential created.
14:33:18.561818 ...\Command.cs:81 trace: [ExecuteAsync] End 'get' command...
14:33:18.612826 run-command.c:663 trace: run_command: 'git credential-manager-core store'
14:33:18.659833 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:33:18.661829 git.c:704 trace: exec: git-credential-manager-core store
14:33:18.661829 run-command.c:663 trace: run_command: git-credential-manager-core store
14:33:18.725838 ...\Application.cs:69 trace: [RunInternalAsync] Git Credential Manager version 2.0.194-beta+819e6bc120 (Windows, .NET Framework 4.0.30319.42000) 'store'
14:33:18.730844 ...\Command.cs:63 trace: [ExecuteAsync] Start 'store' command...
14:33:18.738839 ...\Command.cs:74 trace: [ExecuteAsync] Detecting host provider for input:
14:33:18.740840 ...\Command.cs:75 trace: [ExecuteAsync] protocol=https
14:33:18.740840 ...\Command.cs:75 trace: [ExecuteAsync] host=git.mps.com.br
14:33:18.740840 ...\Command.cs:75 trace: [ExecuteAsync] username=carlos.beppler
14:33:18.740840 ...\Command.cs:75 trace: [ExecuteAsync] password=********
14:33:18.744842 ...\LibGit2.cs:30 trace: [GetConfiguration] Opening default Git configuration...
14:33:18.746848 ...\LibGit2.cs:46 trace: [GetConfiguration] Adding local configuration from repository 'C:/Users/myself/containers/.git/'...
14:33:18.748842 ...\LibGit2.cs:111 trace: [.ctor] Creating Git configuration snapshot...
14:33:18.749842 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:33:18.750842 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:33:18.752842 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.provider'...
14:33:18.752842 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:33:18.753840 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:33:18.753840 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:33:18.753840 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.authority'...
14:33:18.754840 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:33:18.754840 ...viderRegistry.cs:129 trace: [GetProvider] Performing auto-detection of host provider.
14:33:18.755843 ...\Command.cs:77 trace: [ExecuteAsync] Host provider 'Generic' was selected.
14:33:18.756850 ...\HostProvider.cs:143 trace: [StoreCredentialAsync] Storing credential with key 'git:https://[email protected]/'...
14:33:18.760851 ...\HostProvider.cs:145 trace: [StoreCredentialAsync] Credential was successfully stored.
14:33:18.760851 ...\Command.cs:81 trace: [ExecuteAsync] End 'store' command...
14:33:18.774845 run-command.c:663 trace: run_command: git rev-list --objects --stdin --not --all --quiet --alternate-refs
14:33:18.796847 run-command.c:663 trace: run_command: git rev-list --objects --stdin --not --all --quiet --alternate-refs
14:33:18.808849 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:33:18.811849 git.c:444 trace: built-in: git rev-list --objects --stdin --not --all --quiet --alternate-refs
14:33:18.829852 run-command.c:1617 run_processes_parallel: preparing to run up to 1 tasks
14:33:18.829852 run-command.c:1649 run_processes_parallel: done
14:33:18.829852 run-command.c:663 trace: run_command: git gc --auto
14:33:18.840854 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:33:18.842855 git.c:444 trace: built-in: git gc --auto
14:33:18.850855 run-command.c:663 trace: run_command: git merge FETCH_HEAD
14:33:18.862857 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:33:18.864857 git.c:444 trace: built-in: git merge FETCH_HEAD
Already up to date.

** Second run **

PS> git pull
14:37:14.921548 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/bin
14:37:14.924547 git.c:444 trace: built-in: git pull
14:37:14.927554 run-command.c:663 trace: run_command: git fetch --update-head-ok
14:37:14.939573 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:37:14.942587 git.c:444 trace: built-in: git fetch --update-head-ok
14:37:14.945586 run-command.c:663 trace: run_command: GIT_DIR=.git git remote-https origin https://git.mps.com.br/carlos.beppler/containers
14:37:14.957584 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:37:14.959585 git.c:704 trace: exec: git-remote-https origin https://git.mps.com.br/carlos.beppler/containers
14:37:14.959585 run-command.c:663 trace: run_command: git-remote-https origin https://git.mps.com.br/carlos.beppler/containers
14:37:14.973586 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:37:15.233281 run-command.c:663 trace: run_command: 'git credential-manager-core get'
14:37:15.301848 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:37:15.303848 git.c:704 trace: exec: git-credential-manager-core get
14:37:15.303848 run-command.c:663 trace: run_command: git-credential-manager-core get
14:37:15.368848 ...\Application.cs:69 trace: [RunInternalAsync] Git Credential Manager version 2.0.194-beta+819e6bc120 (Windows, .NET Framework 4.0.30319.42000) 'get'
14:37:15.372848 ...\Command.cs:63 trace: [ExecuteAsync] Start 'get' command...
14:37:15.381848 ...\Command.cs:74 trace: [ExecuteAsync] Detecting host provider for input:
14:37:15.383848 ...\Command.cs:75 trace: [ExecuteAsync] protocol=https
14:37:15.383848 ...\Command.cs:75 trace: [ExecuteAsync] host=git.mps.com.br
14:37:15.386848 ...\LibGit2.cs:30 trace: [GetConfiguration] Opening default Git configuration...
14:37:15.388848 ...\LibGit2.cs:46 trace: [GetConfiguration] Adding local configuration from repository 'C:/Users/myself/containers/.git/'...
14:37:15.390849 ...\LibGit2.cs:111 trace: [.ctor] Creating Git configuration snapshot...
14:37:15.391849 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:37:15.393849 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:37:15.395849 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.provider'...
14:37:15.395849 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:37:15.396848 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:37:15.396848 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:37:15.396848 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.authority'...
14:37:15.397850 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:37:15.397850 ...viderRegistry.cs:129 trace: [GetProvider] Performing auto-detection of host provider.
14:37:15.398849 ...\Command.cs:77 trace: [ExecuteAsync] Host provider 'Generic' was selected.
14:37:15.401848 ...\HostProvider.cs:104 trace: [GetCredentialAsync] Looking for existing credential in store with key 'git:https://git.mps.com.br/'...
14:37:15.402851 ...\HostProvider.cs:109 trace: [GetCredentialAsync] No existing credential found.
14:37:15.403848 ...\HostProvider.cs:112 trace: [GetCredentialAsync] Creating new credential...
14:37:15.404849 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:37:15.405849 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:37:15.405849 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.allowWindowsAuth'...
14:37:15.405849 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:37:15.406848 ...icHostProvider.cs:88 trace: [GenerateCredentialAsync] Windows Integrated Authentication detection has been disabled.
14:37:15.406848 ...icHostProvider.cs:91 trace: [GenerateCredentialAsync] Prompting for basic credentials...
14:37:15.407856 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:37:15.407856 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:37:15.407856 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.interactive'...
14:37:15.407856 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:37:21.510922 ...\HostProvider.cs:114 trace: [GetCredentialAsync] Credential created.
14:37:21.511919 ...\Command.cs:81 trace: [ExecuteAsync] End 'get' command...
14:37:21.732557 run-command.c:663 trace: run_command: 'git credential-manager-core store'
14:37:21.797569 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:37:21.799568 git.c:704 trace: exec: git-credential-manager-core store
14:37:21.799568 run-command.c:663 trace: run_command: git-credential-manager-core store
14:37:21.865567 ...\Application.cs:69 trace: [RunInternalAsync] Git Credential Manager version 2.0.194-beta+819e6bc120 (Windows, .NET Framework 4.0.30319.42000) 'store'
14:37:21.869567 ...\Command.cs:63 trace: [ExecuteAsync] Start 'store' command...
14:37:21.878568 ...\Command.cs:74 trace: [ExecuteAsync] Detecting host provider for input:
14:37:21.879568 ...\Command.cs:75 trace: [ExecuteAsync] protocol=https
14:37:21.880568 ...\Command.cs:75 trace: [ExecuteAsync] host=git.mps.com.br
14:37:21.880568 ...\Command.cs:75 trace: [ExecuteAsync] username=carlos.beppler
14:37:21.880568 ...\Command.cs:75 trace: [ExecuteAsync] password=********
14:37:21.883566 ...\LibGit2.cs:30 trace: [GetConfiguration] Opening default Git configuration...
14:37:21.885567 ...\LibGit2.cs:46 trace: [GetConfiguration] Adding local configuration from repository 'C:/Users/myself/containers/.git/'...
14:37:21.886568 ...\LibGit2.cs:111 trace: [.ctor] Creating Git configuration snapshot...
14:37:21.887568 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:37:21.889571 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:37:21.891570 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.provider'...
14:37:21.892569 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:37:21.892569 ...\LibGit2.cs:139 trace: [Enumerate] Enumerating Git configuration entries...
14:37:21.892569 ...\LibGit2.cs:146 trace: [Enumerate] Enumeration complete.
14:37:21.893569 ...\LibGit2.cs:199 trace: [TryGetValue] Reading Git configuration entry 'credential.authority'...
14:37:21.893569 ...\LibGit2.cs:208 trace: [TryGetValue] No entry found.
14:37:21.893569 ...viderRegistry.cs:129 trace: [GetProvider] Performing auto-detection of host provider.
14:37:21.894568 ...\Command.cs:77 trace: [ExecuteAsync] Host provider 'Generic' was selected.
14:37:21.895568 ...\HostProvider.cs:143 trace: [StoreCredentialAsync] Storing credential with key 'git:https://[email protected]/'...
14:37:21.899568 ...\HostProvider.cs:145 trace: [StoreCredentialAsync] Credential was successfully stored.
14:37:21.899568 ...\Command.cs:81 trace: [ExecuteAsync] End 'store' command...
14:37:21.912568 run-command.c:663 trace: run_command: git rev-list --objects --stdin --not --all --quiet --alternate-refs
14:37:21.933568 run-command.c:663 trace: run_command: git rev-list --objects --stdin --not --all --quiet --alternate-refs
14:37:21.945569 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:37:21.947569 git.c:444 trace: built-in: git rev-list --objects --stdin --not --all --quiet --alternate-refs
14:37:21.964569 run-command.c:1617 run_processes_parallel: preparing to run up to 1 tasks
14:37:21.964569 run-command.c:1649 run_processes_parallel: done
14:37:21.964569 run-command.c:663 trace: run_command: git gc --auto
14:37:21.976570 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:37:21.978569 git.c:444 trace: built-in: git gc --auto
14:37:21.985569 run-command.c:663 trace: run_command: git merge FETCH_HEAD
14:37:21.996568 exec-cmd.c:237 trace: resolved executable dir: C:/Program Files/Git/mingw64/libexec/git-core
14:37:21.999567 git.c:444 trace: built-in: git merge FETCH_HEAD
Already up to date.

We should share the Visual Studio token cache (ADAL for 2017/9, MSAL 2019+) using the correct 'extensions' library (Microsoft.Identity.Client.Extensions) to be consistent with file access and locking.

Note: This is currently scoped to only VS for Windows only, not VS for Mac.