pip should support custom authentication handlers for private pypi

[zmt]

• Pip version: 9.0.1
• Python version: 2.7.13
• Operating system: MacOS X Sierra 10.12.4 *

* any OS, really

Description:

This is a feature request.

It would be super-awesome++ if pip supported custom authentication handler configuration so private pypi repositories are not restricted to http basic auth only. Basically, make MultiDomainBasicAuth the default and no longer the ONLY option in a PipSession as it is today: https://github.com/pypa/pip/blob/9.0.1/pip/download.py#L331-L332

This limitation prevents easy integration with stronger authentication (e.g. 2-way TLS, 2FA, etc.) and SSO schemes at enterprises with private pypi repositories. The lack of support makes basic auth credential distribution and leaking unnecessarily difficult problems to address and combat.

[zooba]

@pradyunsg @dstufft I'm keen to implement this (mainly so we can support other auth schemes with Azure Artifacts when the Python support goes public).

Will you be at the sprints at Bloomberg in a couple of weeks?

[pradyunsg]

I will be, in London.

[zooba]

Okay, good to know.

Our main hope is to support git credential helpers (see https://git-scm.com/docs/api-credentials and https://git-scm.com/docs/git-credential), in no small part because we already have a compatible credential helper that will work for us :)

I'm not sure how orthogonal that is to enabling the auth class to be overridden, but we're willing to contribute both. Just want to get some guidance on how many places you think this ought be touching, or any preferences as to how it's added.

[zooba]

Just posted the same proposal for twine, as it didn't appear to be there. Hopefully we can design something that works similarly for both.

Rather than going directly to the external process credential helper, having a (common) Python interface would be just as easy. Then perhaps we can publish our authorization tool in a package and installing that could enable auth for certain URLs automatically? That may satisfy all the needs here, without having to support any particular external helpers in pip/twine themselves.

[webknjaz]

@zooba do you mean publishing a dist which registers itself within a certain entrypoint pip would recognize?

[zooba]

@webknjaz That's what I'm thinking. An entrypoint or something similar would be fine, as that way pip install <cred-helper> could automatically light up without the user also having to also add more command line arguments.

[zooba]

Okay, looks like this is basically adding keyring support, so I filed #5948 (basically, when we can't handle the 401 response from pip's cache, go through keyring first before prompting the user).

I believe that will also work for the original use cases? Keyring has extensible backends, so it would mean installing another package that includes keyring before installing the package. @zmt - thoughts?

[zmt]

I believe that will also work for the original use cases? Keyring has extensible backends, so it would mean installing another package that includes keyring before installing the package. @zmt - thoughts?

I haven't thought about this really since 2017. The addition of keyring support is great, but doesn't appear to help with SSO or using ssh certificates from an ssh-agent, which were 2 authentication methods I initially had in mind back then.