Have to input credentials twice for two feeds?

microsoft / artifacts-keyring

Keyring backend for Azure Artifacts

MIT License

31 stars 17 forks source link

Have to input credentials twice for two feeds? #54

Open tboerstad opened 1 year ago

tboerstad commented 1 year ago

We have multiple feeds for our company. We use the same authentication for both, but the following code will ask the user to authenticate twice.

Is this intended? It does not create a user friendly experience

from artifacts_keyring import CredentialProvider
feeds = ["feed1", "feed2"]

for f in feeds:
    CredentialProvider().get_credentials(url=f"https://pkgs.dev.azure.com/COMPANY/PROJECT/_packaging/{f}/pypi/simple/")

JohnSchmeichel commented 1 year ago

This should be resolved once we upgrade to use the latest version of the credential provider. Can you try setting this environment variable to see if it resolves your issue?

# Windows
set NUGET_CREDENTIALPROVIDER_MSAL_ENABLED=true

# Linux/Mac
export NUGET_CREDENTIALPROVIDER_MSAL_ENABLED=true

The credential provider will cache tokens per feed URL (which is currently by design as there may be different identities for different permissions), but at the tenant authority level there is also token caching that should kick in, but was off by default on older versions. There is an ongoing move to MSAL by default which has the tenant authority token cache enabled by default.

tboerstad commented 1 year ago

It still asks me to provide the code twice. I was using WSL2/Ubuntu, and you can see that MSAL was used.

The login screen is also very confusing, it asks me to sign into Visual Studio Legacy. I'm not signing into Visual Studio, I'm trying to authenticate against a package feed on Azure Devops. This doesn't make sense

Screenshot from 2023-06-22 13-16-44


    **********************************************************************

    To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code GU2M46NPH to authenticate.

    **********************************************************************

[Information] [CredentialProvider]VstsCredentialProvider - Acquired bearer token using 'Msal Device Code'
[Information] [CredentialProvider]VstsCredentialProvider - Attempting to exchange the bearer token for an Azure DevOps session token.```

JohnSchmeichel commented 1 year ago

Trying to see if I can come up with a repro of this, can you collect logs and provide them (may need to scrub them for PII):

export NUGET_CREDENTIALPROVIDER_LOG_PATH=/var/log/artifacts-credprovider.log

Re-run with the above set and it should put all internal logs in the same file.

As for the 'Visual Studio - Legacy': historically this credential provider has re-used the Visual Studio app registration, but with new features in MSAL (e.g. WAM Broker) they've moved to a new registration and renamed the old one. Recent versions of the credential provider use a new app registration. We'll be shipping an update here to pick up the latest version.

tboerstad commented 1 year ago

Here's the log. I can not spend more time debugging the Azure Python SDK on MS behalf, sorry. artifacts-credprovider.log

JohnSchmeichel commented 1 year ago

Was able to repro this on v1.0.1, but not v1.0.8, which will be released as an update in the coming weeks.