NuGet should automatically send credentials after the first request with a HTTP 401 response

[zivkan]

Description

see:

• EPIC: Reduce HTTP 401 responses from servers NuGet/Home#12517

After NuGet experiences one HTTP 401 response from a server, sending more unauthenticated requests just increases latency and increases the server workload processing these requests.

Reproduction Steps

restore, where at least 1 package needs to be downloaded, or open PM UI in VS, and go to the browse tab

Expected behavior

There should only be 1 unauthenticated HTTP request sent. NuGet should then either use credentials provided in the nuget.config file, or ask a credential provider for credentials.

Actual behavior

Every URL is requested twice, first unauthenticated, and then again with an Authorization header.

Regression?

We previously tried HttpClientHandler.PreAuthenticate, but there's a bug in the .NET runtime:

• HttpClientHandler with PreAuthenticate enabled can't refresh expired password #93340

Known Workarounds

No response

Configuration

No response

Other information

In HttpSourceAuthenticationHandler, when a response is a HTTP 401, NuGet needs to check if the WWW-Authenticate header exists, and if so, when it responds with the Basic scheme, NuGet needs to explicitly set the Authorization header on all future requests. If a future 401 response is received, credentials should be re-requested, in case the customer interactively provided a credential and made a typo, or if a cred provider returned a time-limited token that needs to be refreshed.

Since we're going to have to handle Basic authentication ourselves, it would be great to also handle Bearer, since that will enable OAuth2 (including OIDC) credential providers. It should be effectively zero cost to add once Basic is handled.

• Support Bearer token auth in NuGet authentication plugins NuGet/Home#12877

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

see:

• EPIC: Reduce HTTP 401 responses from servers NuGet/Home#12517

After NuGet experiences one HTTP 401 response from a server, sending more unauthenticated requests just increases latency and increases the server workload processing these requests.

Reproduction Steps

restore, where at least 1 package needs to be downloaded, or open PM UI in VS, and go to the browse tab

Expected behavior

There should only be 1 unauthenticated HTTP request sent. NuGet should then either use credentials provided in the nuget.config file, or ask a credential provider for credentials.

Actual behavior

Every URL is requested twice, first unauthenticated, and then again with an Authorization header.

Regression?

We previously tried HttpClientHandler.PreAuthenticate, but there's a bug in the .NET runtime:

• HttpClientHandler with PreAuthenticate enabled can't refresh expired password #93340

Known Workarounds

No response

Configuration

No response

Other information

In HttpSourceAuthenticationHandler, when a response is a HTTP 401, NuGet needs to check if the WWW-Authenticate header exists, and if so, when it responds with the Basic scheme, NuGet needs to explicitly set the Authorization header on all future requests. If a future 401 response is received, credentials should be re-requested, in case the customer interactively provided a credential and made a typo, or if a cred provider returned a time-limited token that needs to be refreshed.

Since we're going to have to handle Basic authentication ourselves, it would be great to also handle Bearer, since that will enable OAuth2 (including OIDC) credential providers. It should be effectively zero cost to add once Basic is handled.

• Support Bearer token auth in NuGet authentication plugins NuGet/Home#12877

Author:	zivkan
Assignees:	-
Labels:	area-System.Net.Http
Milestone:	-

[zivkan]

oops, wrong repo :( I was wondering why the bug template seemed different.