I'm troubleshooting what seems to be a credentials issue with git communicating with the remote (very similar to this, but none of the answers fix my issue).
After setting git to proxy through fiddler I see that each execution of git pull results in 3 https requests after the connect.
Is this normal? If so, why?
Usually Git does not perform two requests that get a 401 response before getting a 200, unless it is using the Negotiate scheme with NTLM or Kerberos. Those protocols require multiple round trips to pass the authentication along.
It's possible you have a credential helper that is passing along an empty password or some other invalid data. You can try to query it by doing something like this:
$ echo url=https://server.example.com/owner/name.git | git credential fill
That should show you what Git is getting as far as credentials. If Git gets both a valid username and password, it will not make a request with only a username.
If you need to remove credentials from the credential manager, there's a Git FAQ entry that tells you how to do that. Git Credential Manager for Windows is broken and doesn't remove credentials properly, so if you're using it, you have to remove credentials by hand.
The error message could be avoided with Git 2.41 (Q2 2023): it allows information carried on the WWW-AUthenticate header to be passed to the credential helpers.
See commit 5f2117b, commit 6b8dda9, commit 988aad9 (27 Feb 2023) by Matthew John Cheetham (mjcheetham).
(Merged by Junio C Hamano -- gitster -- in commit 92c56da, 17 Mar 2023)
http: read HTTPWWW-Authenticateresponse headersSigned-off-by: Matthew John Cheetham
Read and store the HTTP WWW-Authenticate response headers made for a particular request.
This will allow us to pass important authentication challenge information to credential helpers or others that would otherwise have been lost.
libcurl only provides us with the ability to read all headers recieved for a particular request, including any intermediate redirect requests or proxies.
The lines returned bylibcurlinclude HTTP status lines delinating any intermediate requests such as "HTTP/1.1 200".
We use these lines to reset the strvec of WWW-Authenticate header values as we encounter them in order to only capture the final response headers.The collection of all header values matching the
WWW-Authenticateheader is complicated by the fact that it is legal for header fields to be continued over multiple lines, but libcurl only gives us each physical line a time, not each logical header.
This line folding feature is deprecated in RFC 7230 but older servers may still emit them, so we need to handle them.In the future we may be able to leverage functions to read headers from libcurl itself, but as of today we must do this ourselves.
Credentials helpers will benefit from this:
credential: add WWW-Authenticate header to cred requestsSigned-off-by: Matthew John Cheetham
Add the value of the
WWW-Authenticateresponse header to credential requests.
Credential helpers that understand and support HTTP authentication and authorization can use this standard header (RFC 2616 Section 14.47) to generate valid credentials.
WWW-Authenticateheaders can contain information pertaining to the authority, authentication mechanism, or extra parameters/scopes that are required.The current I/O format for credential helpers only allows for unique names for properties/attributes, so in order to transmit multiple header values (with a specific order) we introduce a new convention whereby a C-style array syntax is used in the property name to denote multiple ordered values for the same property.
In this case we send multiple
wwwauth[]properties where the order that the repeated attributes appear in the conversation reflects the order that the WWW-Authenticate headers appeared in the HTTP response.Add a set of tests to exercise the HTTP authentication header parsing and the interop with credential helpers.
Credential helpers will receive WWW-Authenticate information in credential requests.
git credential now includes in its man page:
Attributes with keys that end with C-style array brackets
[]can have multiple values.
Each instance of a multi-valued attribute forms an ordered list of values - the order of the repeated attributes defines the order of the values. An empty multi-valued attribute (key[]=\n) acts to clear any previous entries and reset the list.In all cases, all bytes are treated as-is (i.e., there is no quoting,
git credential now includes in its man page:
wwwauth[]When an HTTP response is received by Git that includes one or more '
WWW-Authenticate' authentication headers, these will be passed by Git to credential helpers.Each '
WWW-Authenticate' header value is passed as a multi-valued attribute 'wwwauth[]', where the order of the attributes is the same as they appear in the HTTP response.
This attribute is 'one-way' from Git to pass additional information to credential helpers.
