Support git-over-htttps with 2FA using genric OAuth Provider

Proposal

This proposal adds support for performing cloning and other git operations via git-over-https using a generic OIDC provider to authenticate rather than a PAT or SSH key, enabling users to use git-over-https in environments with strict two-factor authentication (2FA) requirements in a way that works with existing MFA flows.

Current Challenge:

In various user environments, particularly those with strict security policies, there is a need to authenticate git-over-https operations using existing MFA workflows. These environments typically require logging into an Identity Provider (IDP) that provides credential resolution (such as an OIDC provider configured to provide login credentials for GitLab)

Before 17.0, GitLab previously supported 2FA for git-over-https through a specific integration with Crowd . However, this integration was not flexible enough to accommodate other and also passed credentials through GitLab rather than going directly to the IDP.

Potential Solution

Use GIT_ASKPASS to implement the device authentication flow. An example implementation against GitHub's OAuth can be found here: GitHub OAuth Implementation, and this workflow should be extensible to support any generic OAuth provider.

See !124912 (closed) for a proposed solution using GIT_ASKPASS