Removing oauthClientSecret from .gitconfig

[EML-github]

A question, rather than an issue. I have a generic remote repo which is implemented with Apache, mod_oauth2, and Keycloak, with 2FA. This all works (thanks - great work). The .gitconfig is:

[credential "https://example.com"]
  helper            = cache --timeout 7200
  helper            = "oauth -verbose"
  oauthClientId     = openid-cli
  oauthScopes       = "openid email"
  oauthAuthURL      = ...
  oauthTokenURL     = ...
  oauthRedirectUri  = http://127.0.0.1
  oauthClientSecret = ...

[user]
  name  = ...
  email = ...

However, there's a problem - the .gitconfig contains the client secret. Is there some way I can manually enter the secret once, and leave it out of the config file?

[hickford]

I'm not familiar with mod_oauth2. Does it support OAuth public clients?

For a native app such as git-credential-oauth, it's expected that the client credentials are non confidential https://datatracker.ietf.org/doc/html/rfc6749#section-2.1

It is assumed that any client authentication credentials included in the application can be extracted

GitLab supports OAuth public clients. https://docs.gitlab.com/ee/api/oauth2.html

The Authorization code with PKCE flow, PKCE for short, makes it possible to securely perform the OAuth exchange of client credentials for access tokens on public clients without requiring access to the Client Secret at all. This makes the PKCE flow advantageous for single page JavaScript applications or other client side apps where keeping secrets from the user is a technical impossibility.

In the source of this project, you'll see that gitlab.com has no OAuth client secret

git-credential-oauth/main.go

Lines 50 to 53 in bb8e34c

	"gitlab.com": {
	ClientID: "10bfbbf46e5b760b55ce772a262d7a0205eacc417816eb84d37d0fb02c89bb97",
	Endpoint: endpoints.GitLab,
	Scopes: []string{"read_repository", "write_repository"}},