How to set username for keyring cli based pip authorization (Azure artifacts)

[jenshnielsen]

For keyring authorization to work with Azure artifacts and the keyring CLI I have to supply a default username that must be
VssSessionToken

Trying to set this for UV in the same way as I would do for pip e.g.

uv pip install --keyring-provider subprocess --index-url https://[email protected]/nameoforg/_packaging/nameoffeed/pypi/simple/ nameofpackage --verbose

results in no keyring operation probably because UV identifies the username as a password/token

DEBUG No cache entry for: https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/nameofpackage/
DEBUG Request already has an authorization header: https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/nameofpackage/
error: HTTP status client error (401 Unauthorized) for url (https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/nameofpackage/)

It seems that pip supports that the form where only one part is given could be both username and a usernameless token but UV does not.

Using the default password on the other hand results in no response from keyring (can be confirmed by calling keyring directly)

uv pip install --keyring-provider subprocess --index-url https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/ nameofpackage --verbose

DEBUG No cache entry for: https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/nameofpackage/
DEBUG Running `keyring get` for `[https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/nameofpackage/`](https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/nameofpackage/%60) with username `oauth2accesstoken`
DEBUG No keyring credentials found for https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/nameofpackage/
DEBUG No credentials found for: https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/nameofpackage/
error: HTTP status client error (401 Unauthorized) for url (https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/nameofpackage/)

If I manually rebuild uv with the default username changed from oauth2accesstoken to VssSessionToken everything works correctly.

Is there a different way I am supposed to embed the username?

System:
Windows 11
Python 3.12 conda env
uv 1.22

[zanieb]

I think we just don't support this yet although we probably can!

Can you share the keyring invocation we are performing and the other you would prefer?

[zanieb]

Okay thanks I can take a look into this unless @BakerNet is interested

[jenshnielsen]

Thanks @zanieb
In the first example with the username given as part of the url (but no password in the url)
no keyring invocation is triggered since UV seems to assume that the username provided in the url is a token.

In the second example you call keyring something like this (which would return None)

keyring get https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/ oauth2accesstoken

but I would need.

keyring get https://pkgs.dev.azure.com/nameoforg/_packaging/nameoffeed/pypi/simple/ VssSessionToken 

which correctly returns a token when I call it from the commandline

[BakerNet]

Okay thanks I can take a look into this unless @BakerNet is interested

I know why this is happening and can work on it. It's because of the early return in the middleware when the header is already added from the URL. If there is a username in the URL, but no password, it should be checking keyring and replacing the header if found.

pip only relies on URL encoded auth if it includes a password, but uv is currently relying on it even if it only contains username.

[BakerNet]

The PR for this has been ready for a few days (#2570 )

I don't mean to rush, just an FYI in case it wasn't clear it's ready for review.

[zanieb]

Should be resolved by #2976 and available in the next release.