We need a mechanism to support authenticated feeds with package management.

[KevinRansom]

nuget has an authenticated feeds mechanism where credentials are required to access a feed.

We need a mechanism to allow notebook users access to these types of feeds, however ... putting plaintext credentials in script files, or indeed any other type is not really very secure, so we should come up with something a little more secure than that. Ideally without us doing any credential management or storage in our code, because the security is so hard to get right.

[zyzhu]

Just link to an old issue I raised. #7834
I've tried to follow steps in the following link to add private feed with password using nuget command. My private repo hosted on Azure Artifacts is added to global nuget repository in local computer.
https://docs.microsoft.com/en-us/azure/devops/artifacts/nuget/nuget-exe?view=azure-devops
nuget sources add -name {your feed name} -source {your feed URL} -username {anything} -password {your PAT}
Then #r "nuget:package" works now in dotnet/interactive notebook.

[catfly1]

#i format does not use the authority component of a URI correctly. Example:
#i "nuget: https://myuser:mypw@mygit/api/v4/groups/33/-/packages/nuget/index.json"

Results in:

GET https://mygit/api/v4/groups/33/-/packages/nuget/index.json HTTP/1.1
Host: git.seer.internal
X-NuGet-Session-Id: 255b719d-XXXX-4024-b8ee-XXXXXXXX
User-Agent: NuGet .NET Core MSBuild Task/5.9.1 (Microsoft Windows 10.0.19043)
X-NuGet-Client-Version: 5.9.1
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
Authorization: Basic Og==

The base 64 in the authorisation header decodes to ":"

[KevinRansom]

@catfly1 --- I am afraid authenticated feeds are not supported at this time. We know we have to support them, but right now we don't.

Sorry for the bad news

Kevin

[abelbraaksma]

We need a mechanism to allow notebook users access to these types of feeds, however ..

It is not just notebook users. Any company with a private feed for their own packages (which I assume is quite a few) suffers from this problem.

A big problem is currently that, once you've configured an authenticated feed in nuget.config, none of the normal feeds work anymore.

Maybe there's a workaround. The above-mentioned "adding to local feed" is not very feasible in large organisations, I'm afraid. My workaround is to just don't use FSI with packages, unfortunately.

Not sure what's needed to get this working. If the nuget.config contains environment variables for authentication, it appears to me that FSI should also be able to resolve these variables. In other words, it would already be a huge help if one of the following could be done:

• If a feed is not accessible (authentication error), still process the other feeds, don't stop resolving
• If a feed is configured with environment variables for authentication, use that

An example of a config that currently prevents any package from being loaded in FSI:

<packageSourceCredentials>
  <github>
    <add key="Username" value="%GITHUB_USER%" />
    <add key="ClearTextPassword" value="%MY_NUGET_TOKEN%" />
  </github>
</packageSourceCredentials>