Go-get: review upcoming support for GOAUTH authentication mechanism

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Context

Historically the Go toolchain didn't provide a support for a authentication configuration apart from .netrc file.

But finally a new authentication option is planning to be implemented in Go 1.24 (see the issue) and the design of the proposal).

It should allow users to define alternative ways to authenticate like git credentials or a custom user authentication command.

With these new additions we should be able to offer a better support for authentication methods.

Current pain points

Private projects from subgroups with SSH authentication

Users can select a SSH authentication for private Go packages. It works well for packages located in the top group, like https://gitlab.com/namespace/project. But it doesn't work for deeply nested packages.

The request to https://gitlab.com/namespace/subgroup/project will respond with an incorrect repository URL due to missing HTTP authentication.

For private projects from subgroups user have to provide credentials via both .netrc and SSH.

It is inconvenient and has a security concern, because .netrc keeps credentials in a plain-text.

Only basic authentication support via .netrc

GitLab provides a support for various authentication options (like Personal access tokens for example). But Go toolchain cannot use them because it's limited to basic authentication via .netrc only.

Other reports

See the feedback issue with various problems that users face currently: Unable to `go get` go-packages in repositories ... (#36354 - closed).

Goal

1. Review and try upcoming changes with a connection to GitLab authentication:

• https://github.com/golang/go/issues/26232#issuecomment-2286702525
• https://github.com/golang/go/issues/26232#issuecomment-2286723143
• https://github.com/golang/go/issues/26232#issuecomment-2286961248

2. Describe new authentication workflows for GitLab projects based on the new GOAUTH mechanism.

Update (after Go 1.24)

Go 1.24 released a support for GOAUTH.

Authentication Methods

GOAUTH supports multiple authentication methods:

• netrc - Uses credentials from .netrc file
• git <path> - Uses Git credential helpers
• off - Disables authentication
• Custom commands - Execute custom authentication scripts

New git and custom command options looks promising to implement a secure authentication for Go. We need to investigate them and propose a solution.

Also, I found a OAuth solution based on git credentials. There is an open feature request to support it - #374172.