Composer install\update authentication fails

When I’m trying to install dependency from my private repository, I’m getting the following error:

> php.exe composer.phar update
Loading composer repositories with package information

  Failed to clone https://my.stash.repo/scm/lib/my-super-lib.git, could no  
  t read packages from it                                                      

  fatal: Authentication failed for 'https://my.stash.repo/scm/lib/my-super-lib.git/'                                                                   

update [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-dev] [--lock] [--no-plugins] [--no-custom-installers] [--no-scripts] [--no-progress] [--with-dependencies] [-v|vv|vvv|--verbose] [-o|--optimize-autoloader] [packages1] ... [packagesN]

Process finished with exit code 1 at 10:57:04.
Execution time: 1 996 ms.

Relevant composer.json part looks as following:

  • How to prevent git commit if specific phrase in changes is detected?
  • git clone/ssh under jenkins
  • Stash Git error “fatal: remote error: CAPTCHA required”
  • Diff branches in Atlassian Stash
  • What is the relationship between Git and Stash?
  • Gitflow + Forking workflow (on Stash)?
  •    "require": {
            "php": ">=5.3.0",
            "scaytrase/my-super-lib": "1.1"
        "repositories": [
                "type": "vcs",
                "url":  "https://my.stash.repo/scm/lib/my-super-lib.git"

    If I set username and password directly like

    "url":  "https://username:password@my.stash.repo/scm/lib/my-super-lib.git"

    composer operations work just fine. But I dont’t want store plaintext credentials.

    Is there a way to make composer ask username and password each time?

    Repository is Atlassian Stash with https nginx in front of it (both https and http were tested)

    Composer version 70a20ebcc19f1ea8ab0954a4fbdce208b30085e7 2014-03-12 16:07:58


    For now I perform git clone --mirror by myself to populate composer’s cache and then I just run composer install or composer update as usual (but It says it cannot update package info sometimes)


                $command = sprintf('git clone --mirror %s %s', escapeshellarg($this->url), escapeshellarg($this->repoDir));
                if (0 !== $this->process->execute($command, $output)) {
                    $output = $this->process->getErrorOutput();
                    if (0 !== $this->process->execute('git --version', $ignoredOutput)) {
                        throw new \RuntimeException('Failed to clone '.$this->url.', git was not found, check that it is installed and in your PATH env.' . "\n\n" . $this->process->getErrorOutput());
                    throw new \RuntimeException('Failed to clone '.$this->url.', could not read packages from it' . "\n\n" .$output);

    manual git clone --mirror works just fine and asks for my credentials. But composer (which obviously executes the same command) – it does not.


    It seems to be PHP Storm 8 EAP problem which i’m using. Latest stable version requires authentication correctly during composer install, but not during composer update.

  • How to handle dependencies when using git topic branch workflow?
  • How to copy a file from one branch to another branch using functionality on Eclipse
  • fatal: remote server hung up unexpectedly
  • How does git handle folder permission?
  • Does anyone know what the git bash program for windows uses for its shell?
  • Git branch is still on same line as master
  • 2 Solutions collect form web for “Composer install\update authentication fails”

    Seems to be a bug in latest PhpStorm 8 EAP 134.1456. PhpStorm 7.1.3 works with composer like command line (identical behavior) and performs composer install fine (but not composer update, but command line fails this too).

    I’have submitted a bugreport


    My bugreport to composer has been replaced by this


    For now question is totally not actual. Composer handles authentication correctly and also asks to store credentials in COMPOSER_HOME/auth.json

    You could setup an encrypted file with those http credential, in order for git to use them from that encrypted file.
    That supposes a running gpg agent able t provide the unique password needed to access that credentials gpg-encrypted file.

    The url you would use would then be:


    That allows git to ask to its credential helper for the right password (the one for ‘username‘).

    See “Is there a way to skip password typing when using https://github” for a concrete example.

    Git Baby is a git and github fan, let's start git clone.