NuGet Authentication issues

[dansiegel]

Details about Problem

I'm currently working on a private feed for my NuGet Sponsors. The feed is based on BaGet but adds some custom Authentication Handlers to support basic auth using their GitHub login and a generated token from the portal.

Since it appears that the NuGet Client will always attempt an unauthenticated call first, unsuccessful calls get two response headers added:

• Www-Authenticate -> Basic
• X-NuGet-Warning -> Failed Reason

Detailed repro steps so we can see the same problem

1. When connecting to the Package Source in Visual Studio, I get a prompt for a username and password and it seems to work.

2. When I attempt to push to the package (from the CLI or Azure Pipelines) I get the error ERROR: This version of nuget.exe does not support updating packages to package source

Other suggested things

Any suggestions on how to properly manage this would be greatly appreciated.

Verbose Logs

build-log

[rrelyea]

outside of visual studio, we use v2 credential providers in nuget.
azure artifacts have one: https://github.com/Microsoft/artifacts-credprovider

that works...in msbuild, dotnet.exe or nuget.ext

cc @nkolev92 @loic-sharma

[loic-sharma]

Are there resources to better understand NuGet client's HTTP authentication mechanism?

[dansiegel]

Thanks @rrelyea. I've updated my deployment stage based on what I see there. It seems there is an Authenticate task for Azure Pipelines...

I'm not really sure what the reference to the NuGet.config is all about since the NuGet.config is never directly referenced. In testing this out, I set it up like the docs say and then tried listing the sources to validate that I have the right sources...

- task: NuGetAuthenticate@0
  inputs:
    nuGetServiceConnections: MyNuGetServiceConnection
- task: NuGetToolInstaller@1 # Optional if nuget.exe >= 4.8.5385 is already on the path
  inputs:
    versionSpec: '*'
    checkLatest: true
- script: nuget sources list

However the output of the sources was:

Registered Sources:
  1.  nuget.org [Enabled]
      https://api.nuget.org/v3/index.json
  2.  Microsoft Visual Studio Offline Packages [Enabled]
      C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

[nkolev92]

@loic-sharma

We have user docs if that's what you are asking.

User docs: https://docs.microsoft.com/en-us/nuget/consume-packages/consuming-packages-authenticated-feeds

A question from technical perspective #7841

[nkolev92]

@dansiegel
Is the question here about pushing to baget with your custom auth?

If that's the case, then I think NuGetAuthenticate will not help. That task is specific for working with Azure DevOps feeds.

As per https://docs.microsoft.com/en-us/nuget/consume-packages/consuming-packages-authenticated-feeds, you have to either;

• Provide a nuget config and auth token inside the config.
• Write a plugin and put that plugin on the server where you are running your CI build.

Let us know if this covers your questions.

[dansiegel]

I discovered that the index.json has to require authentication otherwise the NuGet client fails

As a result I had to add some custom logic on there so that my basic auth handler would respect either the Basic auth or the v2 auth when index.json is queried.