Unable to use Authenticated sources with Central Package Management

[thompson-tomo]

NuGet Product Used

MSBuild.exe

Product Version

17.8.3+195e7f5a3 for .NET

Worked before?

No response

Impact

I'm unable to use this version

Repro Steps & Context

Reproduction

Option 1

1. Add a GlobalPackageReference to Directory.Packages.props for a package which requires Authentication
2. In nuget.config ensure that package mapping points it to authenticated source
3. Run dotnet build --configfile nuget.Config --configuration release /nodereuse:false on machine which doesn't have package in cache
4. Observe error

Option 2:

1. Add a PackageVersion to Directory.Packages.props for a package which requires Authentication
2. Add a package reference to a project in the solution for the new package version added
3. In nuget.config ensure that package mapping points it to authenticated source
4. Run dotnet build --configfile nuget.Config --configuration release /nodereuse:false on machine which doesn't have package in cache
5. Observe error

Config file

<packageSources>
	<add key="NuGet.org" value="https://api.nuget.org/v3/index.json" />
	<add key="InternalNexus" value="https://url/nexus/repository/nuget-releases" />
</packageSources>

<packageSourceCredentials>
	<SKIDATANuget>
		<add key="Username" value="%NEXUS_USERNAME%" />
		<add key="ClearTextPassword" value="%NEXUS_PASSWORD%" />
	</SKIDATANuget>
</packageSourceCredentials>

<!-- Used to disable package sources  -->
<disabledPackageSources />
<!-- Define mappings by adding package ID patterns beneath the target source. -->
<packageSourceMapping>
	<packageSource key="NuGet.org">
		<package pattern="*" />
	</packageSource>
	<packageSource key="InternalNexus">
		<package pattern="SkiData.*" />
		<package pattern="JSNLOG.*" />
		<package pattern="Steeltoe.*" />
	</packageSource>
</packageSourceMapping>

%NEXUS_USERNAME% and %NEXUS_PASSWOR% are both CI/CD variables and even tested with explicitly setting the password in the nuget.config but same result. I am able to login to the nuget from my pc using the credientials and everything works fine when not using central package management.

Verbose Logs

Package source mapping matches found for package ID 'Microsoft.Extensions.Hosting.WindowsServices' are: 'NuGet.org'. (TaskId:46)
Unauthorized https://url/nexus/repository/nuget-releases/FindPackagesById()?id='Skidata.CNP.Build.Properties'&semVerLevel=2.0.0 144ms (TaskId:46)
Retrying 'FindPackagesByIdAsyncCore' for source 'https://url/nexus/repository/nuget-releases/FindPackagesById()?id='Skidata.CNP.Build.Properties'&semVerLevel=2.0.0'.
Response status code does not indicate success: 401 (Unauthorized). (TaskId:46)

[nkolev92]

@thompson-tomo
CPM and authentication are unrelated concepts, so they're not blocking each other in any way.

However, looking at your config, your configs are not configured correctly.

See: https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file#packagesourcecredentials

NuGet doesn't know that SKIDATANuget has credentials for InternalNexus.

[thompson-tomo]

Thanks @nkolev92 that was my mistake as when I was attempting to obfuscate my employer name/details etc i missed the credentials part.

My config is valid as it works prior to enabling central packagement.

[nkolev92]

@thompson-tomo

CPM without transitive pinning is largely syntactic that doesn't really affect the core of restore.

I took your option #1 as an attempt at a repro, but I'm not really seeing a problem there.

[thompson-tomo]

Apologies @nkolev92 I did manage to pinpoint the issue with it being connected to my nuget.config. Will close issue.