Manage git authentication for remote git https projects

[sunix]

Description

In this proposal, I give an example using Github, but could be gitlab or anyother git providers.
In this proposal, I give an example using che.openshift.io, but could be any Che instance.

This is a proposal to simply manage github https authentication in Che for pushing changes.

The goal is to implement the flow where a user, using che.openshift.io would have almost nothing to do to be able to work on a github project and push his changes

1. User starts a workspace (from a devfile or ...) containing github projects (https)

2. User is redirected and is asked to loggin in che.openshift.io. che.openshift.io would ask for authorisation through Github OAuth to have push rights. Che gets a OAuth token and store that to keycloak. Retrieve that token with keycloak token exchange and store in the user preferences or cache it.

3. For each github https projects and on each wanted containers set github token/oauth. Would be done automatically by Che-theia after clone and at startup for existing project. Something like:

   git config --global credential.helper 'cache --timeout=3600'
   cd /projects/myproject
   # Note that the push dry-run is just there to cache the username and password
   git push https://<gh-username>:<github-token-oauth>@github.com/user/myproject --dry-run

4. User uses the theia user interface to commit and push (would need to fix push in theia) or the command line ... without having to enter his credentials everytime or setup any ssh keys.

Resources:

https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage
https://help.github.com/en/articles/caching-your-github-password-in-git
https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line#creating-a-token

Value for the users and customers

Users won't have to do anything else than authorising github oauth. This would be done with the web standards. The default https repos provided by github could be used (for logged user, by default, github suggests https clone URL when no ssh keys has been uploaded).

[tsmaeder]

As I understand it, the current state is no worse than what we would have to do on your own laptop.

[azatsarynnyy]

relabeled to area/plugins as it's related to git plugin

[sunix]

As I understand it, the current state is no worse than what we would have to do on your own laptop.

@tsmaeder It is a lot worse than on your own laptop:

• if you use https, you would have to set manually your git credential store and would loose it after restart or if you create a new workspace
• Ssh is not solving the problems: it requires the enduser to magically add a git ssh remote ... we could do it automatically though. I don't think this is done.

Maybe #15421 would be part of the solution.

[che-bot]

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

[l0rd]

Should be addressed by #20583

[l0rd]

Implemented a long time ago. Closing.