2020-09-29 19:13:54 +00:00
<!--
2020-10-13 21:55:17 +00:00
tagline: Access privately hosted packages/repositories
2020-09-29 19:13:54 +00:00
-->
2020-10-13 21:55:17 +00:00
# Authentication for privately hosted packages and repositories
2020-09-29 19:13:54 +00:00
2020-10-13 21:55:17 +00:00
Your [private package server ](handling-private-packages.md ) or version control system is probably secured with one
2020-09-29 19:13:54 +00:00
or more authentication options. In order to allow your project to have access to these
2020-10-13 21:55:17 +00:00
packages and repositories you will have to tell Composer how to authenticate with the server that hosts them.
2020-09-29 19:13:54 +00:00
# Authentication principles
2020-10-05 19:13:02 +00:00
Whenever Composer encounters a protected Composer repository it will try to authenticate
2020-09-29 19:13:54 +00:00
using already defined credentials first. When none of those credentials apply it will prompt
2020-10-12 14:09:21 +00:00
for credentials and save them (or a token if Composer is able to retrieve one).
2020-09-29 19:13:54 +00:00
|type|Generated by Prompt?|
|---|---|
|[http-basic](#http-basic)|yes|
|[Inline http-basic](#inline-http-basic)|no|
2022-06-07 12:04:04 +00:00
|[HTTP Bearer](#http-bearer)|no|
2020-10-12 14:09:21 +00:00
|[Custom header](#custom-token-authentication)|no|
2020-09-29 19:13:54 +00:00
|[gitlab-oauth](#gitlab-oauth)|yes|
|[gitlab-token](#gitlab-token)|yes|
2020-10-13 21:30:47 +00:00
|[github-oauth](#github-oauth)|yes|
|[bitbucket-oauth](#bitbucket-oauth)|yes|
2020-09-29 19:13:54 +00:00
Sometimes automatic authentication is not possible, or you may want to predefine
authentication credentials.
2020-09-30 17:02:58 +00:00
Credentials can be stored on 3 different places; in an `auth.json` for the project, a global
`auth.json` or in the `composer.json` itself.
2020-09-29 19:13:54 +00:00
## Authentication in auth.json per project
2020-09-30 17:02:58 +00:00
In this authentication storage method, an `auth.json` file will be present in the same folder
as the projects' `composer.json` file. You can either create and edit this file using the
2020-09-29 19:13:54 +00:00
command line or manually edit or create it.
2020-10-12 14:09:21 +00:00
> **Note: Make sure the `auth.json` file is in `.gitignore`** to avoid
> leaking credentials into your git history.
2020-09-29 19:13:54 +00:00
## Global authentication credentials
If you don't want to supply credentials for every project you work on, storing your credentials
2020-09-30 17:02:58 +00:00
globally might be a better idea. These credentials are stored in a global `auth.json` in your
2020-10-05 19:13:02 +00:00
Composer home directory.
2020-09-29 19:13:54 +00:00
### Command line global credential editing
For all authentication methods it is possible to edit them using the command line;
- [http-basic ](#command-line-http-basic )
- [Inline http-basic ](#command-line-inline-http-basic )
2022-06-07 12:04:04 +00:00
- [HTTP Bearer ](#http-bearer )
2020-09-29 19:13:54 +00:00
- [gitlab-oauth ](#command-line-gitlab-oauth )
- [gitlab-token ](#command-line-gitlab-token )
2020-10-13 21:55:17 +00:00
- [github-oauth ](#command-line-github-oauth )
- [bitbucket-oauth ](#command-line-bitbucket-oauth )
2020-09-29 19:13:54 +00:00
### Manually editing global authentication credentials
> **Note:** It is not recommended to manually edit your authentication options as this might
> result in invalid json. Instead preferably use [the command line](#command-line-global-credential-editing).
2020-10-12 14:09:21 +00:00
To manually edit it, run:
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config --global --editor [--auth]
2020-09-29 19:13:54 +00:00
```
For specific authentication implementations, see their sections;
- [http-basic ](#manual-http-basic )
- [Inline http-basic ](#manual-inline-http-basic )
2022-06-07 12:04:04 +00:00
- [HTTP Bearer ](#http-bearer )
2020-09-29 19:13:54 +00:00
- [custom header ](#manual-custom-token-authentication )
- [gitlab-oauth ](#manual-gitlab-oauth )
- [gitlab-token ](#manual-gitlab-token )
2020-10-13 21:55:17 +00:00
- [github-oauth ](#manual-github-oauth )
- [bitbucket-oauth ](#manual-bitbucket-oauth )
2020-09-29 19:13:54 +00:00
Manually editing this file instead of using the command line may result in invalid json errors.
To fix this you need to open the file in an editor and fix the error. To find the location of
2020-09-30 17:02:58 +00:00
your global `auth.json` , execute:
2020-09-29 19:13:54 +00:00
2020-10-12 14:09:21 +00:00
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config --global home
2020-09-29 19:13:54 +00:00
```
2020-09-30 17:02:58 +00:00
The folder will contain your global `auth.json` if it exists.
2020-09-29 19:13:54 +00:00
You can open this file in your favorite editor and fix the error.
## Authentication in composer.json file itself
> **Note:** **This is not recommended** as these credentials are visible
> to anyone who has access to the composer.json, either when it is shared through
> a version control system like git or when an attacker gains (read) access to
> your production server files.
2020-09-30 17:02:58 +00:00
It is also possible to add credentials to a `composer.json` on a per-project basis in the `config`
2020-10-12 14:09:21 +00:00
section or directly in the repository definition.
2020-09-29 19:13:54 +00:00
2020-10-13 21:30:47 +00:00
## Authentication using the COMPOSER_AUTH environment variable
2020-10-13 21:55:17 +00:00
> **Note:** Using the command line environment variable method also has security implications.
> These credentials will most likely be stored in memory,
2022-06-07 12:04:04 +00:00
> and may be persisted to a file like `~/.bash_history` (linux) or `ConsoleHost_history.txt`
2020-10-13 21:55:17 +00:00
> (PowerShell on Windows) when closing a session.
2020-10-13 21:30:47 +00:00
2020-10-24 10:53:20 +00:00
The final option to supply Composer with credentials is to use the `COMPOSER_AUTH` environment variable.
2020-10-13 21:55:17 +00:00
These variables can be either passed as command line variables or set in actual environment variables.
2021-02-08 08:56:57 +00:00
Read more about the usage of this environment variable [here ](../03-cli.md#composer-auth ).
2020-10-13 21:30:47 +00:00
2020-09-29 19:13:54 +00:00
# Authentication methods
## http-basic
### Command line http-basic
2020-10-12 14:09:21 +00:00
```sh
2022-06-07 12:04:04 +00:00
php composer.phar config [--global] http-basic.repo.example.org username password
2020-09-29 19:13:54 +00:00
```
2022-06-07 12:04:04 +00:00
In the above command, the config key `http-basic.repo.example.org` consists of two parts:
- `http-basic` is the authentication method.
- `repo.example.org` is the repository host name, you should replace it with the host name of your repository.
2020-09-29 19:13:54 +00:00
### Manual http-basic
2020-10-12 14:09:21 +00:00
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config [--global] --editor --auth
2020-09-29 19:13:54 +00:00
```
```json
{
"http-basic": {
"example.org": {
"username": "username",
"password": "password"
}
}
}
```
## Inline http-basic
For the inline http-basic authentication method the credentials are not stored in a separate
2020-09-30 17:02:58 +00:00
`auth.json` in the project or globally, but in the `composer.json` or global configuration
2020-10-05 19:13:02 +00:00
in the same place where the Composer repository definition is defined.
2020-09-29 19:13:54 +00:00
2020-11-18 13:41:27 +00:00
Make sure that the username and password are encoded according to [RFC 3986 ](http://www.faqs.org/rfcs/rfc3986.html ) (2.1. Percent-Encoding).
If the username e.g. is an email address it needs to be passed as `name%40example.com` .
2020-09-29 19:13:54 +00:00
### Command line inline http-basic
2020-10-12 14:09:21 +00:00
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config [--global] repositories composer.unique-name https://username:password@repo.example.org
2020-09-29 19:13:54 +00:00
```
### Manual inline http-basic
2020-10-12 14:09:21 +00:00
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config [--global] --editor
2020-09-29 19:13:54 +00:00
```
```json
{
"repositories": [
{
"type": "composer",
"url": "https://username:password@example.org"
}
]
}
```
2022-06-07 12:04:04 +00:00
## HTTP Bearer
### Command line HTTP Bearer authentication
```sh
php composer.phar config [--global] bearer.repo.example.org token
```
In the above command, the config key `bearer.repo.example.org` consists of two parts:
- `bearer` is the authentication method.
- `repo.example.org` is the repository host name, you should replace it with the host name of your repository.
### Manual HTTP Bearer authentication
```sh
php composer.phar config [--global] --editor --auth
```
```json
{
"bearer": {
"example.org": "TOKEN"
}
}
```
2020-09-29 19:13:54 +00:00
## Custom token authentication
### Manual custom token authentication
2020-10-12 14:09:21 +00:00
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config [--global] --editor
2020-09-29 19:13:54 +00:00
```
```json
{
"repositories": [
{
"type": "composer",
"url": "https://example.org",
"options": {
"http": {
"header": [
"API-TOKEN: YOUR-API-TOKEN"
]
}
}
}
]
}
```
## gitlab-oauth
> **Note:** For the gitlab authentication to work on private gitlab instances, the
2020-10-12 14:09:21 +00:00
> [`gitlab-domains`](../06-config.md#gitlab-domains) section should also contain the url.
2020-09-29 19:13:54 +00:00
### Command line gitlab-oauth
2020-10-12 14:09:21 +00:00
```sh
2022-06-07 12:04:04 +00:00
php composer.phar config [--global] gitlab-oauth.gitlab.example.org token
2020-09-29 19:13:54 +00:00
```
2022-06-07 12:04:04 +00:00
In the above command, the config key `gitlab-oauth.gitlab.example.org` consists of two parts:
- `gitlab-oauth` is the authentication method.
- `gitlab.example.org` is the host name of your GitLab instance, you should replace it with the host name of your GitLab instance or use `gitlab.com` if you don't have a self-hosted GitLab instance.
2020-09-29 19:13:54 +00:00
### Manual gitlab-oauth
2020-10-12 14:09:21 +00:00
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config [--global] --editor --auth
2020-09-29 19:13:54 +00:00
```
```json
{
"gitlab-oauth": {
"example.org": "token"
}
}
```
## gitlab-token
> **Note:** For the gitlab authentication to work on private gitlab instances, the
2020-10-12 14:09:21 +00:00
> [`gitlab-domains`](../06-config.md#gitlab-domains) section should also contain the url.
2020-09-29 19:13:54 +00:00
2021-05-04 14:05:05 +00:00
To create a new access token, go to your [access tokens section on GitLab ](https://gitlab.com/-/profile/personal_access_tokens )
2021-12-19 14:15:21 +00:00
(or the equivalent URL on your private instance) and create a new token. See also [the GitLab access token documentation ](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#creating-a-personal-access-token ) for more information.
2021-05-04 14:05:05 +00:00
2021-10-25 11:11:35 +00:00
When creating a gitlab token manually, make sure it has either the `read_api` or `api` scope.
2020-10-13 21:55:17 +00:00
2020-09-29 19:13:54 +00:00
### Command line gitlab-token
2020-10-12 14:09:21 +00:00
```sh
2022-06-07 12:04:04 +00:00
php composer.phar config [--global] gitlab-token.gitlab.example.org token
2020-09-29 19:13:54 +00:00
```
2022-06-07 12:04:04 +00:00
In the above command, the config key `gitlab-token.gitlab.example.org` consists of two parts:
- `gitlab-token` is the authentication method.
- `gitlab.example.org` is the host name of your GitLab instance, you should replace it with the host name of your GitLab instance or use `gitlab.com` if you don't have a self-hosted GitLab instance.
2020-09-29 19:13:54 +00:00
### Manual gitlab-token
2020-10-12 14:09:21 +00:00
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config [--global] --editor --auth
2020-09-29 19:13:54 +00:00
```
```json
{
"gitlab-token": {
"example.org": "token"
}
}
```
2020-10-13 21:30:47 +00:00
## github-oauth
2021-11-08 09:53:12 +00:00
To create a new access token, head to your [token settings section on Github ](https://github.com/settings/tokens ) and [generate a new token ](https://github.com/settings/tokens/new ).
For public repositories when rate limited, a token *without* any particular scope is sufficient (see `(no scope)` in the [scopes documentation ](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps )). Such tokens grant read-only access to public information.
For private repositories, the `repo` scope is needed. Note that the token will be given broad read/write access to all of your private repositories and much more - see the [scopes documentation ](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps ) for a complete list. As of writing (November 2021), it seems not to be possible to further limit permissions for such tokens.
Read more about [Personal Access Tokens ](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token ), or subscribe to the [roadmap item for better scoped tokens in GitHub ](https://github.com/github/roadmap/issues/184 ).
2020-10-13 21:30:47 +00:00
### Command line github-oauth
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config [--global] github-oauth.github.com token
2020-10-13 21:30:47 +00:00
```
2022-06-07 12:04:04 +00:00
In the above command, the config key `github-oauth.github.com` consists of two parts:
- `github-oauth` is the authentication method.
- `github.com` is the host name for which this token applies. For GitHub you most likely do not need to change this.
2020-10-13 21:30:47 +00:00
### Manual github-oauth
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config [--global] --editor --auth
2020-10-13 21:30:47 +00:00
```
```json
{
"github-oauth": {
"github.com": "token"
}
}
```
## bitbucket-oauth
2020-10-13 21:55:17 +00:00
The BitBucket driver uses OAuth to access your private repositories via the BitBucket REST APIs, and you will need to create an OAuth consumer to use the driver, please refer to [Atlassian's Documentation ](https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/ ). You will need to fill the callback url with something to satisfy BitBucket, but the address does not need to go anywhere and is not used by Composer.
2020-10-13 21:30:47 +00:00
### Command line bitbucket-oauth
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config [--global] bitbucket-oauth.bitbucket.org consumer-key consumer-secret
2020-10-13 21:30:47 +00:00
```
2022-06-07 12:04:04 +00:00
In the above command, the config key `bitbucket-oauth.bitbucket.org` consists of two parts:
- `bitbucket-oauth` is the authentication method.
- `bitbucket.org` is the host name for which this token applies. Unless you have a private instance you don't need to change this.
2020-10-13 21:30:47 +00:00
### Manual bitbucket-oauth
```sh
2021-10-25 11:11:35 +00:00
php composer.phar config [--global] --editor --auth
2020-10-13 21:30:47 +00:00
```
```json
{
"bitbucket-oauth": {
"bitbucket.org": {
"consumer-key": "key",
"consumer-secret": "secret"
}
}
}
```