-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for private feeds requiring authentication #39
Comments
Hi! I haven't tried this myself, but since I'm just using the NuGet client libraries to parse Are your credentials stored in the config file? If so, are they encrypted? I think NuGet uses DPAPI to protect credentials and this probably doesn't work on .NET Core. You could test this by putting plaintext credentials in there and seeing if completions work then... |
Looks like this may have been fixed (for Windows only) in newer versions of the NuGet client. I'll check how recent the version I'm using is. |
Yes credentials are encrypted in the config files. |
Does it work if you use plaintext credentials? |
Ok @sandorfr, I've tried using the latest version of the NuGet client libraries but doing so breaks access to v2 NuGet feeds. I'm a little worried that this might cause issues for people who are still using v2 feeds so I'll have to do some research to see how common that still is (it's been a while, so maybe everyone's on v3 feeds by now). I'll also look into whether it's possible to pull in a new version of only the configuration parser library and leave the rest of the client libraries at their existing version (although based on the NuGet team's track record for backward-compatibility, I'm not all that confident). I'll let you know what I find; in the meanwhile, would you mind trying to store the credentials in plain-text (just temporarily) and see if you can then get package completion to work? It would help me verify that this is the the problem you're having. |
I've pulled in the latest version of their config library but I need to do some testing to make sure nothing is broken. |
Sorry, I forgot to update you, indeed, cleartextpassword works. |
Thanks! I can try building a new version of the VSIX with a newer version
of the NuGet client if you want to try it out, though!
|
Ok @sandorfr - if you have time would you be willing to try out an experimental build? msbuild-project-tools-0.2.41.zip (you'll need to extract the |
(you may need to uninstall the existing extension, first) |
Where is this feature at? Your experimental build above is an older release number than what is currently out there, so is this deployed? Does this updated only work with plain text credentials? Thanks! |
Hi - I'd kinda forgotten about it because I don't have an authenticated feed to test this with. Would you be willing to try it out to see if it works for you? You can just try the latest version (from memory, you can use encrypted credentials on Windows but only plain-text ones on other platforms since .NET Core on those platforms doesn't have DPAPI). |
Actually if it's just looking for an encrypted nuget.config file I don't think it will work for me. I'm using the MicrosoftCredentialProvider for my dotnet core application. The credentials it stores are to log in to VSTS (now called Azure DevOps) and get Nuget packages from that source. It stores the credentials encrypted in a binary file. Here is a link to the documentation and this is where the credentials are stored:
|
Sorry, that link just takes me back to this issue - could you try re-posting it? |
BTW unless I'm mistaken, I don't think I can use the very latest version of the NuGet client libraries because, as of some version a while back, they no longer support v2 feeds. I'm not sure whether we're ready to drop v2 feed support yet (I'd need to figure out what percentage of our uses are still using them before making a decision). |
Sorry, here is the correct link. |
If you can't read directly from the encrypted file, maybe you can call into the credential provider and use the interactive login feature, just like dotnet restore does? Or maybe there's a function you can call to go get the credentials and decrypt them automagically. I haven't looked at the code in this project yet to see if it would be possible to call into a DLL or not, I'll poke around a bit... |
It looks like the microsoft credential provider is actually a nuget plugin, so if if you use nuget it will just work, no effort needed. But it needs nuget version 4.8.0.5385 or later. According to this the nuget 4.x client is no longer compatible with v2 feeds, which must be what you're talking about. Can you use both versions? Try to restore with the older nuget client and if it fails try the newer client? |
Unfortunately, no, I don't think we can build against both versions at the same time (not unless we launched a separate process to retrieve completions, which would probably be too slow to be useful). I think for now we can only support plain-text credentials (or DPAPI-protected ones on Windows?) until we're willing to drop support for v2 feeds. At this stage I'm planning to drop support for v2 feeds at the end of the year (I'll be spending some time in the next 2 months working out how common v2 feeds still are) at which point we'll pull in the latest NuGet packages and you'll get support for the Microsoft credential provider. Sorry for the delay on this, but I want to make sure I don't break existing users any more than I have to 😁 |
Thanks for the link to the credential provider, BTW - this looks like it will be useful once we upgrade. |
Okay, great to know this will come in time! The NuGet Package Manager extension also doesn't support authenticated package sources so you'll have a leg up on them :) |
Sorry, I've not found the time to do extensive testing. But the public version was working fine with cleatextpassword in the nuget.config. The problem with that approach is that other tools (including visual studio) tend to mess with that. @ijabit seem to have nailed the core issues. When it comes to private authenticated feed for testing, vsts artifacts is completely free for 5 users. So you should be covered :) https://marketplace.visualstudio.com/items?itemName=ms.feed |
This appears to persist into the 0.3.12+ era. Here's from a recent hand-rolled 0.3.13 release (testing for another issue here)...
Seems there are a few issues related to the Azure Artifacts Credential Provider and .NET 5, unsure if this overlaps. |
Hmm - this was a PITA back in the day (very hacky), but if the NuGet feed API actually supports / respects credentials then we can probably manage to do the same (I’ll have to see how they do it before knowing the effort involved).... |
Glad I don’t have to build a plug-in myself or this would be a non-starter! |
Implemented in v0.4.0. |
I might be wrong but I have the feeling that when it comes to PackageReference Intellisense it does not support private feed which are requiring authentication.
The text was updated successfully, but these errors were encountered: