Please confirm AUTH behavior findings (and add them to documentation)

[WernerMairl]

Hi
i'm working on a token based Authentication for a NuGet Server (BaGet)
I know all the concepts of CredentialProviders and i have up and running VS+Debugger for Nuget.exe and "artifacts-credprovider" (the Azure Artifact Credential Provider)

Basically Nuget Authentication is implemented here

basically the following 2 lines are doing the work:

clientHandler.Credentials = _credentials;
clientHandler.UseDefaultCredentials = false;

that means the entire process of building and appending a AUTH-Header is delegated to the corefx implementation of HTTPClientHandler (also debugged for this investigations)

basically HTTPClienHandler has no implementation for a AuthType like "Bearer".
It has implementations for "Basic", "NTLM" "Negotiate" and "Digest"..

Reading the sourcecode of artifacts-credprovider, (the NuGet CredentialProvider for Azure Artifacts) i find out, that they are using/implementing Token based security (vsts services) BUT

• the used Authenticationtype is "Basic" (see VstsBuildTaskCredentialProvider)
• credential.username is ignored/random/virtual
• credential.password contains the token.

It make sense to do the same if we implement token based security in our own NuGet Server ?
what is the plan for the future here ?

I see that the current CredentialProvider interface does not allows the transfer of information about the authtype...(or i overlooked something) ?

Summary:

For Token based NuGet Authentication

1. implement "Basic" Authentication on the server side and assume that the password contains the token
2. use Config/CredentialProvider Settings on the client side that sends the token as ICredential.Password

TRUE ?
i must assume that Azure Artifacts and others does exactly this "hack" at the moment....

regards
Werner

[nkolev92]

Apologies for the late reply, but this analysis is spot on.

Trick is that the PATs passed around are actually scoped, and in order to acquire a PAT you might need to go through 2FA first.

As far as documentation goes, while I'd love for us to have documentation like, this is certainly not high on our priority list right now.

As such I'm gonna close it.
We'd be open to a contribution but at this point I'm not sure where this belongs.

Instructions for building a plugin can be found here: https://docs.microsoft.com/en-us/nuget/reference/extensibility/nuget-cross-platform-authentication-plugin