From b4840c5bb08d8fa4bfaeb37d70509a7a39ac362a Mon Sep 17 00:00:00 2001 From: Yordan Mitev Date: Tue, 9 Sep 2025 13:22:41 +0300 Subject: [PATCH 1/9] Remove NuGet authentication with password option --- .../images/account-generate-nuget-api-key.png | Bin 0 -> 9988 bytes installation/nuget.md | 86 ++++++++---------- 2 files changed, 37 insertions(+), 49 deletions(-) create mode 100644 installation/images/account-generate-nuget-api-key.png diff --git a/installation/images/account-generate-nuget-api-key.png b/installation/images/account-generate-nuget-api-key.png new file mode 100644 index 0000000000000000000000000000000000000000..902c1ab7876136b9192cf91ad6c3dec369ad856d GIT binary patch literal 9988 zcma)hRZtv2v+m*=EJz@DSc2>l0t9y_i|ewBy9Xyg&=7(JXMq60Avi4V9%OO%1cDPF zxU(nc-nw<~!>L>ULsxh8bWMN#%{=t=|66hu4jF_>>0Ml07Hpyc7*Gj=h2De( zsFZ8X?QJg_eZR4R-l~LR05)!KO{Da0Z)<`EZf^(HBs@0y?(R0x=%b5!Go*38R}&_io?H+#1WQE2puguzj|;GPfA4EOFOjg5>pvIt1O2;vNm$xq_6*JAw=w@2w03s6Q|b|9 zus{R=+&-d@A0G6r<{z%6+t1POhtNDpyKYJAE2Z!pD9+k>!;f%XzbSNa&wgd^>BIf1 zU+(sBYf^!wUd}06NWt6M3>KlS*S&M6ld&pcuvBYKNRNYY{(#0}_kqaiDM;&K5j=~0 z4Tzk-GcEd!zUUWLOCBu#e0OseikuNP_>4)+U$y@jK7D_8vMTDl;HROhUVJB)GG5L#Zg;xS%LT$x{$<&&6Kfar?#Hc zk6*duPgmwvxQ8SJI+&&!>h&LOCgpApcA{2izQ~&dtQEQ=!>!)15;x53r-W4{wO3TV z)1ws8jdPU`G2pgV1d31sE)J%-%*!pL5^merYXJG5w<6h)AixJ(U~g9!t|RlLt%V*5(x)mg#8@24w*XrIsA_!(ZC~fEPU~@-n*b zm;PjmMLgA_43~%~Mpl!PtFnCOh#*VAr{>~PtV!TtvCCzKa&Q<@Z(!wXb>qp)_-I9A zM@Pi{FsAyD!`wk;Tt`)7n0?*%LstG|OeB3}XzWjx9aT8mkvqt_Ax30wDXqxwqzdngU574g9pv2UVX zg@rKRF8}}uxOnbt<^6W{azsNsW&ZSO3R^dy|JOW`(}vH@r^ZiLSnmpa5(`VVw(jw{ zN!34C%QLLO?beo+B$>|IK7`+ZO;5vLIk!iJ5-RgK!=_&9pU}e`bl!Q+wYbEmBwlY% z@i}cRHG_7`FWk&nO4<^9Q*I<0LY-*<6p&U#>t|ir&j_v|l_-l<5^7Ja`3md7w@*t0 z5LJSfv^b;*r)IB<8|+S<2C$fG>g+jRa|Hws<`xpx#^hc1jdZGO-n5+*3uX}KkAZ_? z>Q1jMwu}9DG;Ml~o_tA7XYz|IW8`5~v4#j$k+lbDe?l-1#Y`l+Q=S$a~)+)cYDP4Fww(f`>2RB6Gr?8MLSN}LQ+q9a0SA`v(`8k z7|o!DI_GxzNoQ(%L`q-9I%L?d_$6_QS%eRu^0J_?yf*gO)5X3%nI*JS+AUADHd{-miQ%A z!NrnXi`)JoZ9Z&)TKU^IAb>(u8KPoYd$!^Q0UvRrOA3V%F1J*3+NSbHDO)cJ?@t+s z0v0s>g+U=DN;5o7J~sun2?}+|ES{3~ZuTkz;S1`D9-`U0f0{lF!ih^O8owN86IWwo zTuO%$IF?x7t@r2KbGGb;yEi6tiM$=>ETK)= z7OS?qL%z#kvleq*oNl*O}w(w#e~Mf=goFgU>Im$LH4DO@0?*?9mnj zv;2yGnnXJowfI&_Z)I2c*SWLi)n<8aH@QE^hw%A~a9>!C;<2SFgMl%NqD2~ww-dbA{5nQUV1!KiS^Xe&8HjVi7x7LXaPql`9oJH7{ zhiyq8&9fhy*z`4Dz44borloX=9$Pnryq?Gn?ExzDO~U;6md;+hJIiE{)JbESm_oCq zL*U18FPLu5pc)zZ1}YKriHrsrt-m>I2V(5Ld7>JPw0FB`=C`8X74%-XVLu{0E}NXO zWGF99!a&&g)!HIsSSpt8~AKcz|2N0N8CvL{g5M%ET!Ta%wlM#>{~fye?lXo zN%~Z!@hoCv5DsaD7)MME!ce50Hx6Kyw=W#Qod;l+JZ0pZb_8DnLe}bY9VM$+K_S^9 z3;5F@i9M&hcV_XHLoNP5y0O=~h*~|qY=lQ7Y>q1JbXOdFutg6(JpY|EWH~eHHH*s< z)n8xmL>KRnC^Hv0n`b!V9ze@p@ANtsWPJ>JeMo`UK6c+x1WF5_?C$BsIN@9N$kokNZmx zh8LYbZO%{W>in_OHCox)+%Qd%2hau|j!Vr{hw{xx*d#54D`{F_sKFeDH0Zmo2b%lc zc)c|<8EMNoeu#j2)8EXVl64=~X4==c)$?Gb^(CGf30qtO@wEUYh;7Wk56`z;8h$o_ z{5@k_G+CI2wYstn!AM9^mm3L+T$Q|Dl~w$Bq8N7D^R)9zH_F!%XE~E5k4$kkkuFVq zqR3G4QWvjN5*Ox|4Yp0!IDnMy(+TPhM|ePOHg>;TQ-m14>YgZo1vap8O!VRM(}p{G z=_mK>2BAJ8TuWSR@9?g@bs^koUZp@d&GZX=emC@k8#v(n446$PVu2~_yYn!sXc5Kt ztfFs9@F!!3+t-^glNrABzSyFIZxPQs_L{b_i1s)_8D7rv&9w3y-fH2}tiQ<#)0vo0va`zPh?$>61{ya1aBz999-Lx8B$3C<)APJ~X(8rD0C#oy z#ap>?IAH?Aly=0Q`2TwouLmR5uXqIkId=Q zK)i+G|11{PWBKz@CIi1$IJR@TmW|q83nXBPJ7DEGD8**5>+b3b0jd1a7L_LsDU(gm zRVuaP62`+PL|8M^JApQ{)w7V9l=xsr%ZtsmUT4egRc-b6?BI%i+m3 zL42Wpv&vlvQdmB}#izLdX6RU3|sGut6JcjKp* z(~@i1)*cN3?=l-BXGb60fiL@jqdx4o_~qucs^g;1^G3v!G2NWMVegIrr z8FkbL2zeuo7!ef(mIiX2EcY7+`k>Bj7avzoGaWiWB0Tjd;Wl?+j^@NJ_TOt_Heso9F5@+?#O35j{!_zP|H~NJ}0G4F_KXTJsIeQ@f1Y0JGyQ>cuxbRC?9PjvJ z&M%hldv@zM@xg?VxRIEI@-i4Wo)c5dGLZgJHJ7=v-}oF-Z1G8wL9qdiVq&eoTQfZp zw@R{>y6clb8iz9^m04E44#nQC&i=?u)BRHw|Lq|Ao$&{^@`v{}acaU!LAlNDzP}>` zSTnPnH3bjZv8#^x!k+Ed)Jr9Ak;yi>p3EbSKm+^(OVlX+`VB%-bEX>5PHGN)>Y$5` zAxWA0u@D)s%sLh6G#8DurE#wl{N=aY3Q_<#Oy}!R$sqb+n1TsgH#=2IPl6}G>dCC>a|bWxUoh^&__21ed=9W4^97}OT2rl=RwtIFxKU+Q z3G}Jn0m4J>OJ8fF$7#?6hM3~oK{rB}lG28W#DuQG{yGOOl6`ZduiAxaFfSslO--hR zXc#vHcYD!&viMib7MU?H@r{UtYKW*?b-%}Ra4(mtB(&(MXatQ^$TYjxSLuUE2AZSr z*Xhs9C5^321=jOG*_qF2IeWUg6Hw;DxEWkuUA+|--XCpjd><<>XI$O0S4Dk=V{(jx? z&9n1Jx(Mn>&a*t^Ua|(t+KFv3VTUMo>qQ^(ot$f&;!(CvP!G{>`tyuHvOF%_KfiL6 zDXZ^&L>lxaN@;-PN5KvQ$eA;2a$<6@j!mugFa*zTPo}ZS93l<+urr_Zm!n(KbMGUo zu^zQkUSp~?X@luEU%xLusnR|U(jE2^R{rSRg-@6zt*~PRs&o;^1X!Y)+#`g&kTd5+ z=7A0L6v3}^74S~Z&BJ5Azr%f^8A;+!op8bFU(rSTxvzl5U7FHU+qGYL(*4hMoLO)! zMkJGM4Aqq~Wl4;Ic>$vq-9=RLa;@(VjBk3~nj2&xyw)algW8fQkm&Bg7mVD(S}n4m zJG#8ZMD~|Bi}XY~ z-*2fueCNaU*FRRfmzU_vUu?)KI46fl8KwYu?%+gHe?4AFb91FbCMX5HI0}zRIs>rJ@?dhFI1-Tk15!R$zx3b zDNyqK)sbLjJs}dnj0XkaZbpIdlPbSEdBU4LqZbkZF`LfsnJsFoSo+exeDCB*e>w8r zxMe8N)rRsW*jLl3E3;As@pdE7s)R$A0DIS3WCQ!@`vWVH^0{Y?P2Viq@dRWC^iG2F zho&~;$bAs1FYI&S($RI;0x@iL>;-d`<-dOCr+{W@s3RaqdBy0(#8{`ap+xT7kPcD% z=*VbBAO!QS1cbxm!J$gWipOsDyEM7bVy6z^cfl%$q|_SLlwf5>vc6DOrO+{KA?CQc zeWkjofUNtl(UuGxr^oQch;MsZvp7%o3Ucwvdgv%DJ=O#vX=a+-HJ+aYY&}M|S{oxU z>0l57vP+exI)=!Pd=ap+wWW;bVkV$HHlIoGNF) z?yRb9;bWtfiYq(Be2Pqj_obKNSH>b_7z=(a59$s16SAU_ZCfriF@0{NXWM-V$htNe zNRE1Ru__5BRYxRcEnFZyzfN6QcSc;O{_G{(GKhxa@EG1I{Mps}URafmR49jcwkUwI zTiGFR^$!*;UQ%mlz7CQ0|EdixRo#zjO@Z26^KChHnw_We_9bYM*_sAV97v25(D0o;u9_w%V;AEe%Unf=~7)uwKvT9OgRnlSC zXN{~2#!s>({@mLJGHCUaPOEJ48gGpRoh`@8A~0W)d{U9y1bk6{Td7JKlU2X+tAJ|x z6X+tefRQ`^#~G>K(5;4$#7gSx&ftyw$07oyjbN3&nIxiMDSC+d$0HBqdg5w^h?FXl zwCOZd{$j(5AeV7dW47Bj;BJs^ZPsOTlb5c6uF(a#TKKd=uaR!DGalt!*MGI>Ht6p5 z5e|djUOUYX199NM?D3JAnOE8ykD!~ik*%urQx;Rz4JMI4pI{{CU~dcy zf+`Bg_ZJ9FB~WfGRFBuz1xivM_6&I-a8 zTx2c$^a&afy#UAWLBO%KKz*;w3K7)QYbU%rZ3owFe;3lq*%Xjs={~mGBN9U$0mqM+ zaPKBwTG@FE|Ge0_f4JZ3) zv8skmsAPYOd<9!I|1()-lP%Ib@ zcWD8mahsNxkPApZC+FtK2FhV@l_J?2HL@U})C z78jP?UopU>+uq!m+h+AH=O0vCOF!g)yFfaqTbOfDU(oq#J0Nnsjb%m^X7}W9FyEUm z^4&+gMLclq&LxEt;h zb&y2ANY1XXHf3t!I_oWjxjso--H5UqN94-A+-KI!af;-XcqN(N46Y?}>7kdoCYR{= zSyMY?dYNgQ@u#q#Z<(Ty-3CQ-%o5T`3P@eYUnw67okc!R*~NU(jQJ;dKveqZ;;0tivO$3sF~5@h7nUj8)+ zKb&>eag)Fox+3!q0xo^a#6{Lc^!j^k-m_0gV7+M^c)d;#9z`^70l~4`#x#(47+PEW zEkG=Xk;cM}f5Jbp?1~xRBwyHIQP$TL7Do1TWDC<3iya&97bca#FM#Ui-ca`1LDE({ zFc%5L&Fu3wd6@M!3a~dwVLEJHt=@!@h+fcsTAn=B>iMbUnp*d+0aHSckagZXl31NI zpL^pcBUC%2TbrD>+Xq?{;SaLcVnpp&zp%%Ge6t)cd^#*$B646;|NffTxR4vMqJPe| zp*gdg9yrAWVbx5eaVRYJXQMet>`q)D4F!(kLpQ+DP`=17WBjAolr?#4jpm18z6p*KEM#Q!Z}5@zkBif6lLvatscwu3> zz*6m+@{*#-!YFIC&Og&N|NcV(UCcoT_J24&FHBN+*M%{F&6Obkj~NjlT7&_>#$*=! z^^+fq00SpT?jZMn8v0}+q+|YvLC`xC&d3dXEy=>=@{kc|!5q{3p8k~2yFs>GzB&W` zKAcjvG>o44eVCD1Yef&2e@K^iUKZXdwu@x{Fe~V6?C<@sK>GH&)F?o*{NiEM{eC|a z@VB@5=aA}LiRZ@G6~JGXcbPHfm4@m%DoMc_&F~ggM1?1Auqh;!Ko8SF)tJYSPzc)9 zX;cKFg-FNQ^Av*$UjyzPtwxc*Nr=A3LxikE>e3@Iazd;;5DbQxZU?s7qY~SwzHgP4zlwtX1Uu3%O*4 zW}=-Zoy#e|)BTb11ze8Ha>6P+E4lRztPpwocg_qZ$yf&P)|U|ZT_bCIS-o$qY!LZk zI-byVx>zQ41ZiBO5AL-F)2aTL|6&qwLwjKB%aXWos7Wz zOZv#IlhxyCEg-*-ORbm;qieVw+K`#5wy zcTiTTa@%NnVen>k=lt7J%;o#99ZK2U&rxgbTvZK&OxRWDODTtMN8KL_wuQ?2`>Vyp z^;YdX%N=AK&uNS2ycDZAX;1;2vkgQkXD%eA{j*&ZGaOz{GC0*Ep~G9TdSJWnbM?PK zwxCQyG?q`v#e{pc6`pq5oHdgk4ocE1U&QL}7%8ijlw@Xyx>CR1aSUqtw_{=VlK^;pMUWtMw+jIq5}z9Hk|(G<~1j z)J=?xR?ED7w@eYShJuv5G;;FwVe8|G!@8)|<$dWH{0DKd^IaTRBJzZSuzR$6B(l77FMdTnqmI&ZBX!NLI?Niz`r48qACj{`z zr+DcxJt?I~3&cXjQYB=O`ZK@ahy{Kh z*)-(Gom(td+!_dxpN7@cmzG{)uffz!FraJ|UKGTmAEM+pmqSz20>|d)l!{}E+guaA z(#rBJMX_0`%#y$5>(K3n@}>BSeZA5ay@5d0=lzGfDNFUW3WEPC za8=#;DEawiOY!j<#&M^4lYdK=(B1RMuRPb)Cd5`&`-Upo#niSR%OJ;Yo{V2m`GEWvAD`SaWrZsrebf})|%pUy_nTSkHmHsp-e!|&L* zkv5=tvYl_MPQ%*VamrvqE1d(rni0yQ9}E2$@rPx?)M1MZ!Xq!d<9V*f+Ff~_1f$G? zYY03)o9$h!&V07;B+{8WJFfmCXW$tZ{kW)1P3?Bt(7dLb8m=Ihvvv=)IrSNqP^i&G zV*h@=u>LXl>4sLKWlGZ1 zLF-~H)x|Z+dq#@Qo2RORql^UMm=4w@=WuIL-;#Z|{)w3Dh+I&-Ka!j?8?&;XDR23J zfZ*mC29q#ngIZJlrkk}Z!=op? zK{%$2>Z|lfaYWe{Oq(kQ43xea*9atiS`;wSuhrN(9nESr1pQ{t(@(;flvc6HCK$JU zjh_;sm=4ue#~#GTeW5Hc*M(GA!esLlE3;!0eEB7U%Fse!{dDTjY9K9Y@_6YJ#KUYv zBsPpgM3WF=$X8bRE1vZ4Q&7HaDg20An!8)OM=S>DrTH>2(_2Bk=~P!dVjvl7E-qw-*ZhSq!ofJ9*S7DHaI6~%1L_D)|AHZ}fv0kh8CoIeKN zz5SuxB!GuYo+z?!lAP}WO(`UF>cD!d8OFc}43p)I|2I5{vF?td2nCAG>sREJV$NPJH-8*|@-0M9z6h1_cf^mAhE#jq_D;j-;Sl+EXl%3_=bM<;adxQcc3Nb zKjJL!j|+V1Pfl797`NVDt1kBFCl47?e?o~Wf04FcswFpV>JR$_X_dz?p^7qTPHx-= zKQ||Ly*)9OG;^M7RCm<3Z~d^Kme@dwh$(cnCy6O0h!A}~nIm`yIV|ONlKS|qhSzX1 zTjnfw?%~0exiWl(UjA{h(m4=hFJvFJ#B*Zyx1m*1s5;E#r_xQr1-zQeVr?=7 z`BLAzeyw><({E6zDbtZ8Mu7Qhq`gt+gL|12>)k{=ov)qpGX*$Dc@O(tL zYn~jyycGog^S6fl8}G1W$Bh)Vg<3v+8Sik%pI>M_!7ssadK}iKPpqt|WEW}n3=KbN zUe?#@>+1uDI|^2Z_n8v=r-r#akx-c7Cv|EFciF^{g}pVEs3EALT=pdms;ZTuFjLI{ SKkUDoH5CPQ`AS){(EkE;l0C=( literal 0 HcmV?d00001 diff --git a/installation/nuget.md b/installation/nuget.md index fa85d0039f..912603f1ce 100644 --- a/installation/nuget.md +++ b/installation/nuget.md @@ -20,14 +20,29 @@ You can set up the remote Telerik NuGet feed in the following ways: * [Use the .NET CLI](#use-the-net-cli) * [Edit the Nuget.Config file](#edit-the-nuget-config-file) ->tip When working with the .NET CLI or editing the `NuGet.Config` manually, you can use your Telerik account credentials or a [NuGet API Key](#use-nuget-api-key). If you are logging in to telerik.com through single sign-on (SSO), use a [NuGet API Key](#use-nuget-api-key). +Regardless of how you set up the Telerik NuGet feed, you must first [generate a NuGet API key](#generate-a-nuget-api-key) needed for the authentication. ->warning Never hard-code Telerik account credentials or NuGet API keys in a `NuGet.Config` file in a GitHub repository, Docker image, or any location that may be accessed by unauthorized parties. A NuGet key is valuable and bad actors can use it to access the NuGet packages that are licensed under your account. A credentials abuse can lead to a review of the affected Telerik account. +>warning Never hard-code your Telerik NuGet API keys in a `NuGet.Config` file in a GitHub repository, Docker image, or any location that may be accessed by unauthorized parties. A NuGet key is valuable and bad actors can use it to access the NuGet packages that are licensed under your account. A credentials abuse can lead to a review of the affected Telerik account. For NuGet-related issues, see [NuGet Feed Troubleshooting](slug:troubleshooting-nuget). For information on automated builds, CI and CD, see [CI, CD, Build Server](slug:deployment-ci-cd-build-pc). +## Generate a NuGet API Key + +As the Telerik NuGet server requires authentication, the first step is to obtain an API key that you will use instead of a password. Using an API key instead of a password is a more secure approach, especially when working with [.NET CLI](#use-the-net-cli) or the [`NuGet.Config` file](#edit-the-nugetconfig-file). + +1. Go to the [NuGet Keys](https://www.telerik.com/account/downloads/nuget-keys) page in your Telerik account. +1. Click **Generate New Key +**. + + ![Manage NuGet Keys](../installation/images/account-generate-nuget-api-key.png) + +1. In the **Key Note** field, add a note that describes the API key. +1. Click **Generate Key**. +1. Select **Copy and Close**. Once you close the window, you can no longer copy the generated key. For security reasons, the **NuGet Keys** page displays only a portion of the key. +1. Store the generated NuGet API key as you will need it in the next steps. + +Whenever you need to authenticate your system with the Telerik NuGet server, use `api-key` as the username and your generated API key as the password. ## Use Visual Studio @@ -44,34 +59,35 @@ Refer to the [Microsoft documentation about using packages in Visual Studio](htt 1. Click OK. 1. Open a project that references a Telerik NuGet package. For example, generate one through our [New Project Wizard](slug:getting-started-vs-integration-new-project). - * Make sure to remove local `NuGet.Config` files from the solution that contain information about Telerik packages. - + * Make sure to remove local `NuGet.Config` files from the solution that contain information about Telerik packages. + 1. Rebuild the solution. -1. A Windows prompt will ask for the Telerik feed credentials. Enter your Telerik email and password. - * Check the Remember My Password checkbox. - -1. Your project should now build and restore all packages - including those from nuget.org and from Telerik. - * If you experience issues, see the [NuGet Feed Troubleshooting](slug:troubleshooting-nuget) article. +1. In the Windows authentication prompt: + 7.1. Enter `api-key` in the **User Name** field. -## Use the .NET CLI + 7.2. Enter your [NuGet API key](#generate-a-nuget-api-key) in the **Password** field. + + 7.3. Check the **Remember My Password** checkbox. -When adding NuGet sources from the .NET CLI, the credentials are stored in the `NuGet.Config` file. The [password can be encrypted on Windows, but with limitations](#store-encrypted-credentials). You can use a plain text password, but for better security, [generate a NuGet API Key](#use-nuget-api-key), and use it with the .NET CLI instead of a password. +1. Your project should now build and restore all packages—including those from nuget.org and from Telerik. + * If you experience issues, see the [NuGet Feed Troubleshooting](slug:troubleshooting-nuget) article. -To add the Telerik NuGet package source with the .NET CLI, use the [`dotnet nuget add source`](https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-add-source) command. This command creates or updates a `NuGet.Config` file for you, so you don't have to [edit it manually](#edit-the-nuget-config-file). +## Use the .NET CLI -The command below stores the password or NuGet API Key in plain text in the [global config file](https://learn.microsoft.com/en-us/nuget/consume-packages/configuring-nuget-behavior#config-file-locations-and-uses). +To add the Telerik NuGet package source with the .NET CLI, use the [`dotnet nuget add source`](https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-add-source) command. The command shown below creates or updates a `NuGet.Config` file for you, so you don't have to [edit it manually](#edit-the-nugetconfig-file): -The backslashes `\` below enable multi-line commands for better readability in terminals that support them. +* The command adds the Telerik NuGet source, uses your [NuGet API key](#generate-a-nuget-api-key) for authentication, and stores the API key in plain text in the [global config file](https://learn.microsoft.com/en-us/nuget/consume-packages/configuring-nuget-behavior#config-file-locations-and-uses). +* The backslashes `\` enable multi-line commands for better readability in terminals that support them. >caption Use the .NET CLI to add the Telerik NuGet source ````SH.skip-repl dotnet nuget add source https://nuget.telerik.com/v3/index.json \ --name TelerikOnlineFeed \ ---username \ ---password \ +--username api-key \ +--password \ --store-password-in-clear-text ```` @@ -82,20 +98,11 @@ If you have already stored the Telerik package source, you can update the config ````SH.skip-repl dotnet nuget update source "TelerikOnlineFeed" \ --source "https://nuget.telerik.com/v3/index.json" \ ---username \ ---password \ +--username api-key \ +--password \ --store-password-in-clear-text ```` -### Store Encrypted Credentials - -The .NET CLI supports NuGet password encryption only on the Windows platform. Note that [the encrypted password in the `NuGet.Config` file will work only for one user and one machine](https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file#packagesourcecredentials). - -If you [add the Telerik package source in Visual Studio](#use-visual-studio), the credentials will be encrypted and stored in the Windows Credential Manager on Windows and in the Keychain on macOS. - -You can read more about the options provided by the NuGet tooling in the packageSourceCredentials section of the NuGet.Config reference article by Microsoft. Note the difference between the `password` and `cleartextpassword` options. - - ## Edit the NuGet.Config File NuGet package sources and other settings are stored in a `NuGet.Config` file. You can read more about the file structure in the Microsoft article [NuGet.Config Reference](https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file). @@ -106,7 +113,7 @@ To edit a `NuGet.Config` file and add the Telerik feed, you need to: 1. Ensure you are editing the [correct and desired config file](https://learn.microsoft.com/en-us/nuget/consume-packages/configuring-nuget-behavior#config-file-locations-and-uses). You can also create a new one with the [`dotnet new nugetconfig` command](https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-new). -2. Add the Telerik package source to the config file. Use plain text credentials, because the .NET Core NuGet tooling does not fully support encrypted credentials. Here is an example of how your `NuGet.Config` file can look like: +2. Add the Telerik package source to the config file. For the authentication, use your [NuGet API key](#generate-a-nuget-api-key) as a password and `api-key` as a username. Here is an example of how your `NuGet.Config` file can look like: ````XML.skip-repl @@ -119,25 +126,13 @@ To edit a `NuGet.Config` file and add the Telerik feed, you need to: - - + + ```` -## Use NuGet API Key - -There are two ways to authenticate with the Telerik NuGet server when you add the Telerik NuGet source [with the .NET CLI](#use-the-net-cli) or [edit the `NuGet.Config` file manually](#edit-the-nuget-config-file): - -* Use your Telerik account email as the username, and your Telerik password. -* Use `api-key` as the username and your personal [NuGet API Key](slug:deployment-nuget) as the password. - -You can [generate your Telerik NuGet API Key on telerik.com](https://www.telerik.com/account/downloads/nuget-keys). Read more about [using NuGet API Keys in different environments](slug:deployment-nuget). - -> Always use the NuGet API Key in plain text. - - ## Package Source Mapping The `Telerik.UI.for.Blazor` NuGet package and most of its dependencies reside on `nuget.telerik.com`. On the other hand, the [Telerik icon packages](slug:common-features-icons) and the [`Telerik.Licensing` package](slug:installation-license-key) reside on `nuget.org`. The correct [package source mapping](https://learn.microsoft.com/en-us/nuget/consume-packages/package-source-mapping) configuration should be similar to the one below. @@ -173,7 +168,6 @@ The `Telerik.UI.for.Blazor` NuGet package and most of its dependencies reside on ```` - ## Access NuGet Packages behind Firewall To access the Telerik NuGet feed behind a firewall that restricts outgoing requests, you may need to allow the following domains: @@ -183,12 +177,6 @@ To access the Telerik NuGet feed behind a firewall that restricts outgoing reque The firewall must allow some of the requests to be redirected from `nuget.telerik.com` to `downloads.cdn.telerik.com`. - -## Obsolete Telerik NuGet URL - -The NuGet v2 server at `https://nuget.telerik.com/nuget` was sunset in November 2024 and is no longer available. The v3 protocol offers faster package searches and restores, improved security, and more reliable infrastructure. To redirect your feed to the NuGet v3 protocol, all you have to do is to change your NuGet package source URL to `https://nuget.telerik.com/v3/index.json`. - - ## Troubleshooting See the [NuGet Troubleshooting](slug:troubleshooting-nuget) article for tips about common pitfalls when working with the Telerik NuGet feed. From c817949cf758ac96f560b77f7db442e92740f9f9 Mon Sep 17 00:00:00 2001 From: Yordan Mitev Date: Tue, 9 Sep 2025 14:54:52 +0300 Subject: [PATCH 2/9] Address feedback from review --- _contentTemplates/common/get-started.md | 35 ++++++++++++++++-- deployment/nuget-keys.md | 23 ++---------- getting-started/client-blazor.md | 2 +- getting-started/web-app.md | 2 +- .../images/account-generate-nuget-api-key.png | Bin 9988 -> 0 bytes installation/nuget.md | 14 +------ 6 files changed, 38 insertions(+), 38 deletions(-) delete mode 100644 installation/images/account-generate-nuget-api-key.png diff --git a/_contentTemplates/common/get-started.md b/_contentTemplates/common/get-started.md index eeb3892e87..4dd17d011e 100644 --- a/_contentTemplates/common/get-started.md +++ b/_contentTemplates/common/get-started.md @@ -21,11 +21,40 @@ #end +#generate-nuget-api-key + +As the Telerik NuGet server requires authentication, the first step is to obtain an API key that you will use instead of a password. Using an API key instead of a password is a more secure approach, especially when working with [.NET CLI](#use-the-net-cli) or the [`NuGet.Config` file](#edit-the-nugetconfig-file). + +1. Go to the [NuGet Keys](https://www.telerik.com/account/downloads/nuget-keys) page in your Telerik account. +1. Click **Generate New Key +**. +1. In the **Key Note** field, add a note that describes the API key. +1. Click **Generate Key**. +1. Select **Copy and Close**. Once you close the window, you can no longer copy the generated key. For security reasons, the **NuGet Keys** page displays only a portion of the key. +1. Store the generated NuGet API key as you will need it in the next steps. + +Whenever you need to authenticate your system with the Telerik NuGet server, use `api-key` as the username and your generated API key as the password. +#end #add-nuget-feed ## Step 3: Add the Telerik NuGet Feed to Visual Studio -In this tutorial, you will use the [Telerik NuGet feed](slug:installation/nuget) to download the UI for Blazor components. This NuGet feed is private and requires you to authenticate with your Telerik user name and password: +In this tutorial, you will use the [Telerik NuGet feed](slug:installation/nuget) to download the UI for Blazor components. This NuGet feed is private and requires you to authenticate with a NuGet API key. + +To generate your NuGet API key: + +1. Go to the [NuGet Keys](https://www.telerik.com/account/downloads/nuget-keys) page in your Telerik account. + +1. Click **Generate New Key +**. + +1. In the **Key Note** field, add a note that describes the API key. + +1. Click **Generate Key**. + +1. Select **Copy and Close**. Once you close the window, you can no longer copy the generated key. For security reasons, the **NuGet Keys** page displays only a portion of the key. + +1. Store the generated NuGet API key as you will need it in the next steps. + +Next, add the Telerik NuGet feed to Visual Studio: 1. In Visual Studio and go to **Tools** > **NuGet Package Manager** > **Package Manager Settings**. @@ -37,9 +66,9 @@ In this tutorial, you will use the [Telerik NuGet feed](slug:installation/nuget) ![Add the Telerik NuGet Feed in Visual Studio](images/telerik-nuget-feed.png) -1. Whenever Visual Studio displays a dialog to enter credentials for `nuget.telerik.com`, use your Telerik account email and password. +1. Whenever Visual Studio displays a dialog to enter credentials for `nuget.telerik.com`, use `api-key` as the username and your NuGet API key as the password. ->tip For alternative NuGet package download options, check the [Workflow article](slug:getting-started/what-you-need). You can also [authenticate with `nuget.telerik.com` with an API key](slug:installation/nuget#use-nuget-api-key). +>tip For alternative NuGet package download options, check the [Workflow article](slug:getting-started/what-you-need). #end diff --git a/deployment/nuget-keys.md b/deployment/nuget-keys.md index 0c06780f6b..a1334793f7 100644 --- a/deployment/nuget-keys.md +++ b/deployment/nuget-keys.md @@ -10,32 +10,15 @@ position: 10 This article describes how to use token-based authentication for the Telerik NuGet feed. You will learn how to create and use NuGet API keys to restore Telerik NuGet packages in your Continuous Integration (CI) workflow. -The [Telerik NuGet server](slug:installation/nuget) provides two ways to authenticate: - -* Basic authentication with your Telerik username and password. -* Token-based authentication with a NuGet API key. - -When you need to restore the [Telerik NuGet packages](slug:getting-started/what-you-need#nuget-packages) as part of your CI, a NuGet API key is the more secure way to authenticate. This method does not require you to provide your Telerik credentials anywhere in the CI workflow. A NuGet Key has a limited scope and can be used only with the Telerik NuGet server. If any of your NuGet keys is compromised, you can quickly delete it and create a new one. - +When you need to restore the [Telerik NuGet packages](slug:getting-started/what-you-need#nuget-packages) as part of your CI, using NuGet keys provides a secure way to authenticate. This method does not require you to provide your Telerik credentials anywhere in the CI workflow. A NuGet Key has a limited scope and can be used only with the Telerik NuGet server. If any of your NuGet keys is compromised, you can quickly delete it and create a new one. ## Generating NuGet Keys -1. In your Telerik account, go to the [**Manage NuGet Keys**](https://www.telerik.com/account/downloads/nuget-keys) page. - - ![Manage NuGet Keys](../deployment/images/manage-nuget-keys.png) - -1. Click **Generate New Key**. - -1. Enter a name for the NuGet Key and click **Generate Key**. - -1. To copy the key, click **Copy and Close**. Once you close the popup dialog, you can no longer copy the generated key. For security reasons, the **NuGet Keys** page displays only a portion of the key. - - ![Copy Generated NuGet Key](../deployment/images/copy-nuget-key.png) - +@[template](/_contentTemplates/common/get-started.md#generate-nuget-api-key) ## Storing NuGet Keys ->warning Never check in Telerik account credentials or a NuGet API key with your source code or leave them publicly visible in plain text (for example, in a `NuGet.Config` file). A NuGet key is valuable and bad actors can use it to access the NuGet packages that are licensed under your account. A key abuse can lead to a review of the affected Telerik account. +>warning Never check in a NuGet API key with your source code or leave them publicly visible in plain text (for example, in a `NuGet.Config` file). A NuGet key is valuable and bad actors can use it to access the NuGet packages that are licensed under your account. A key abuse can lead to a review of the affected Telerik account. To protect the NuGet Key, store it as a secret environment variable. The exact store steps depend on your workflow and environment: diff --git a/getting-started/client-blazor.md b/getting-started/client-blazor.md index 44a9c688f9..79619205b8 100644 --- a/getting-started/client-blazor.md +++ b/getting-started/client-blazor.md @@ -48,7 +48,7 @@ This article explains how to get the warning Never check in a NuGet API key with your source code or leave them publicly visible in plain text (for example, in a `NuGet.Config` file). A NuGet key is valuable and bad actors can use it to access the NuGet packages that are licensed under your account. A key abuse can lead to a review of the affected Telerik account. +>warning Never check in a NuGet API key with your source code or leave them publicly visible in plain text (for example, in a `NuGet.Config` file). An API key is valuable and bad actors can use it to access the NuGet packages that are licensed under your account. A key abuse can lead to a review of the affected Telerik account. -To protect the NuGet Key, store it as a secret environment variable. The exact store steps depend on your workflow and environment: +To protect the API key, store it as a secret environment variable. The exact store steps depend on your workflow and environment: * In GitHub Actions, save the key as a [GitHub Actions Secret](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions). -* In Azure DevOps, save the key as a [secret Azure DevOps pipeline variable](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables). If you use an Azure DevOps Service connection instead of secret environment variables, enter `api-key` in the username field and the NuGet key as the password in the **New NuGet service connection** form editor. +* In Azure DevOps, save the key as a [secret Azure DevOps pipeline variable](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables). If you use an Azure DevOps Service connection instead of secret environment variables, enter `api-key` in the username field and the API key as the password in the **New NuGet service connection** form editor. * In Docker images, save the key as a [Docker secret](https://docs.docker.com/tags/secrets/). -For more details on storing and protecting your NuGet Key, check the [Announcing NuGet Keys](https://www.telerik.com/blogs/announcing-nuget-keys) blog post by Lance McCarthy. +For more details on storing and protecting your API key, check the [Announcing NuGet Keys](https://www.telerik.com/blogs/announcing-nuget-keys) blog post by Lance McCarthy. The examples below assume that the secret environment variable name is `TELERIK_NUGET_KEY`. -## Using NuGet Keys +## Using API Keys -There are two common ways to use a [stored NuGet key](#storing-nuget-keys) with the Telerik NuGet server during a build: +There are two common ways to use a [stored API key](#storing-api-keys) with the Telerik NuGet server during a build: * [Using a NuGet.Config file](#using-a-nuget-config-file) * [Using only CLI commands](#using-net-cli-commands) -For more information on how to use NuGet keys in a build, check the [Announcing NuGet Keys](https://www.telerik.com/blogs/announcing-nuget-keys) blog post by Lance McCarthy. +For more information on how to use API keys in a build, check the [Announcing NuGet Keys](https://www.telerik.com/blogs/announcing-nuget-keys) blog post by Lance McCarthy. ### Using a NuGet.Config File @@ -65,7 +65,7 @@ In your `NuGet.Config` file, set the `Username` value to `api-key` and the `Clea ### Using .NET CLI Commands -You can use the .NET CLI `add source` or `update source` commands to set the credentials of a package source. This CLI approach is applicable if your CI system doesn't support [environment variable secrets](#storing-nuget-keys) or if you do not [use a custom `NuGet.Config`](#using-a-nuget-config-file). +You can use the .NET CLI `add source` or `update source` commands to set the credentials of a package source. This CLI approach is applicable if your CI system doesn't support [environment variable secrets](#storing-api-keys) or if you do not [use a custom `NuGet.Config`](#using-a-nuget-config-file). * To set the credentials in Azure DevOps: diff --git a/installation/nuget.md b/installation/nuget.md index 630417ce78..54bdab7ffb 100644 --- a/installation/nuget.md +++ b/installation/nuget.md @@ -22,7 +22,7 @@ You can set up the remote Telerik NuGet feed in the following ways: Regardless of how you set up the Telerik NuGet feed, you must first [generate a NuGet API key](#generate-a-nuget-api-key) needed for the authentication. ->warning Never hard-code your Telerik NuGet API keys in a `NuGet.Config` file in a GitHub repository, Docker image, or any location that may be accessed by unauthorized parties. A NuGet key is valuable and bad actors can use it to access the NuGet packages that are licensed under your account. A credentials abuse can lead to a review of the affected Telerik account. +>warning Never hard-code your Telerik NuGet API keys in a `NuGet.Config` file in a GitHub repository, Docker image, or any location that may be accessed by unauthorized parties. An API key is valuable and bad actors can use it to access the NuGet packages that are licensed under your account. A credentials abuse can lead to a review of the affected Telerik account. For NuGet-related issues, see [NuGet Feed Troubleshooting](slug:troubleshooting-nuget). diff --git a/troubleshooting/nuget-feed.md b/troubleshooting/nuget-feed.md index eebe7e897b..4e8cac899b 100644 --- a/troubleshooting/nuget-feed.md +++ b/troubleshooting/nuget-feed.md @@ -64,14 +64,14 @@ If you suspect that your saved credentials are wrong, use the following steps to * No provided credentials * Incorrect password * [Correct password with unescaped special characters](#special-characters-in-the-password) -* Using an invalidated (removed) [Telerik NuGet API key](slug:installation/nuget#use-nuget-api-key), which no longer exists in your Telerik account. +* Using an invalidated (removed) [Telerik NuGet API key](slug:installation/nuget#use-nuget-api-key), which no longer exists in your Telerik account. * Using a valid Telerik NuGet API key with the wrong username. It must be `api-key`. An easy way to verify your credentials is to [access the Telerik NuGet server directly in the web browser](#tips-for-handling-common-nuget-issues). Then, depending on your setup, check or update your credentials in: * The applicable `NuGet.Config` file. There may be multiple such files on the device. * [Windows Credential Manager](#removing-saved-credentials) -* In a [CI/CD workflow](slug:deployment-nuget#using-net-cli-commands), which [obtains the credentials from a secret](slug:deployment-nuget#storing-nuget-keys). +* In a [CI/CD workflow](slug:deployment-nuget#using-net-cli-commands), which [obtains the credentials from a secret](slug:deployment-nuget#storing-api-keys). ### Special Characters in the Password From f9d7270aecc7b8b7aa219a5fe7a180db254a8188 Mon Sep 17 00:00:00 2001 From: Yordan <60105689+yordan-mitev@users.noreply.github.com> Date: Mon, 27 Oct 2025 10:10:06 +0200 Subject: [PATCH 4/9] Apply suggestion from @dimodi Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- _contentTemplates/common/get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_contentTemplates/common/get-started.md b/_contentTemplates/common/get-started.md index ced083b832..e8e262a12b 100644 --- a/_contentTemplates/common/get-started.md +++ b/_contentTemplates/common/get-started.md @@ -23,7 +23,7 @@ #generate-nuget-api-key -As the Telerik NuGet server requires authentication, the first step is to obtain an API key that you will use instead of a password. Using an API key instead of a password is a more secure approach, especially when working with [.NET CLI](#use-the-net-cli) or the [`NuGet.Config` file](#edit-the-nugetconfig-file). +As the Telerik NuGet server requires authentication, the first step is to obtain an API key that you will use instead of a password. Using an API key instead of a password is a more secure approach, especially when working with the [.NET CLI](#use-the-net-cli) or a [`NuGet.Config` file](#edit-the-nugetconfig-file). 1. Go to the [API Keys](https://www.telerik.com/account/downloads/api-keys) page in your Telerik account. 1. Click **Generate New Key +**. From 29768b80404bdcefed1fdb4bb448faf8d400afa0 Mon Sep 17 00:00:00 2001 From: Yordan <60105689+yordan-mitev@users.noreply.github.com> Date: Mon, 27 Oct 2025 10:10:37 +0200 Subject: [PATCH 5/9] Apply suggestion from @dimodi Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- deployment/nuget-keys.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/nuget-keys.md b/deployment/nuget-keys.md index 30b6ea09d2..3509ff6f5a 100644 --- a/deployment/nuget-keys.md +++ b/deployment/nuget-keys.md @@ -18,7 +18,7 @@ When you need to restore the [Telerik NuGet packages](slug:getting-started/what- ## Storing API Keys ->warning Never check in a NuGet API key with your source code or leave them publicly visible in plain text (for example, in a `NuGet.Config` file). An API key is valuable and bad actors can use it to access the NuGet packages that are licensed under your account. A key abuse can lead to a review of the affected Telerik account. +>warning Never check in NuGet API keys with your source code or leave them publicly visible in plain text (for example, in a `NuGet.Config` file). An API key is valuable and bad actors can use it to access the NuGet packages that are licensed under your account. A key abuse can lead to a review of the affected Telerik account. To protect the API key, store it as a secret environment variable. The exact store steps depend on your workflow and environment: From b8b9ed9e79a016456999f4b9be7f21dcb472faaa Mon Sep 17 00:00:00 2001 From: Yordan <60105689+yordan-mitev@users.noreply.github.com> Date: Mon, 27 Oct 2025 10:10:45 +0200 Subject: [PATCH 6/9] Apply suggestion from @dimodi Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- deployment/nuget-keys.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/nuget-keys.md b/deployment/nuget-keys.md index 3509ff6f5a..1690571ca6 100644 --- a/deployment/nuget-keys.md +++ b/deployment/nuget-keys.md @@ -35,8 +35,8 @@ The examples below assume that the secret environment variable name is `TELERIK_ There are two common ways to use a [stored API key](#storing-api-keys) with the Telerik NuGet server during a build: -* [Using a NuGet.Config file](#using-a-nuget-config-file) -* [Using only CLI commands](#using-net-cli-commands) +* [Use a NuGet.Config file](#using-a-nuget-config-file) +* [Use only CLI commands](#using-net-cli-commands) For more information on how to use API keys in a build, check the [Announcing NuGet Keys](https://www.telerik.com/blogs/announcing-nuget-keys) blog post by Lance McCarthy. From bdd700c259c29f08a6a37278b3d6d008b549ec40 Mon Sep 17 00:00:00 2001 From: Yordan <60105689+yordan-mitev@users.noreply.github.com> Date: Mon, 27 Oct 2025 10:11:11 +0200 Subject: [PATCH 7/9] Apply suggestion from @dimodi Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- installation/nuget.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installation/nuget.md b/installation/nuget.md index 54bdab7ffb..ef3d809530 100644 --- a/installation/nuget.md +++ b/installation/nuget.md @@ -101,7 +101,7 @@ To edit a `NuGet.Config` file and add the Telerik feed, you need to: 1. Ensure you are editing the [correct and desired config file](https://learn.microsoft.com/en-us/nuget/consume-packages/configuring-nuget-behavior#config-file-locations-and-uses). You can also create a new one with the [`dotnet new nugetconfig` command](https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-new). -2. Add the Telerik package source to the config file. For the authentication, use your [NuGet API key](#generate-a-nuget-api-key) as a password and `api-key` as a username. Here is an example of how your `NuGet.Config` file can look like: +2. Add the Telerik package source to the config file. For the authentication, use your [NuGet API key](#generate-a-nuget-api-key) as a password and `api-key` as a username. Add the API key in plain text, because the .NET Core NuGet tooling does not fully support encrypted credentials. Here is an example of how your `NuGet.Config` file can look like: ````XML.skip-repl From 8ee653d4e21ee64bae089edf810cc99028c68c10 Mon Sep 17 00:00:00 2001 From: Yordan <60105689+yordan-mitev@users.noreply.github.com> Date: Mon, 27 Oct 2025 10:11:46 +0200 Subject: [PATCH 8/9] Apply suggestion from @dimodi Co-authored-by: Dimo Dimov <961014+dimodi@users.noreply.github.com> --- installation/nuget.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installation/nuget.md b/installation/nuget.md index ef3d809530..306854cd43 100644 --- a/installation/nuget.md +++ b/installation/nuget.md @@ -114,8 +114,8 @@ To edit a `NuGet.Config` file and add the Telerik feed, you need to: - - + + From b92ed0ac1fa232b4d3186d72b1fb58b32494142d Mon Sep 17 00:00:00 2001 From: Yordan <60105689+yordan-mitev@users.noreply.github.com> Date: Mon, 27 Oct 2025 15:44:37 +0200 Subject: [PATCH 9/9] address comments --- installation/nuget.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/installation/nuget.md b/installation/nuget.md index 306854cd43..191c8cc567 100644 --- a/installation/nuget.md +++ b/installation/nuget.md @@ -46,8 +46,9 @@ Refer to the [Microsoft documentation about using packages in Visual Studio](htt 1. Click OK. -1. Open a project that references a Telerik NuGet package. For example, generate one through our [New Project Wizard](slug:getting-started-vs-integration-new-project). - * Make sure to remove local `NuGet.Config` files from the solution that contain information about Telerik packages. +1. Open a project that references a Telerik NuGet package. For example, generate one with the [New Project Wizard](slug:getting-started-vs-integration-new-project). + + > Remove local `NuGet.Config` files that contain information about Telerik packages from the solution. 1. Rebuild the solution. @@ -60,7 +61,8 @@ Refer to the [Microsoft documentation about using packages in Visual Studio](htt 7.3. Check the **Remember My Password** checkbox. 1. Your project should now build and restore all packages—including those from nuget.org and from Telerik. - * If you experience issues, see the [NuGet Feed Troubleshooting](slug:troubleshooting-nuget) article. + +> If you experience issues, see the [NuGet Feed Troubleshooting](slug:troubleshooting-nuget) article. ## Use the .NET CLI