Tracking Issue for alternative registry authentication (RFC 3139)

[ehuss]

Summary

RFC: #3139
Implementation: #10592
Documentation: https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#registry-auth
Issue: A-registry-authentication Area: registry authentication and authorization (authn authz)

This feature adds the ability to authenticate additional endpoints to a registry, including downloading crates.

Unresolved Issues

• Do registries need a more fine-grained switch for which API commands require authentication?
• The RFC mentions adding --token to additional commands like install and search, but we are leaning away from allowing tokens from being passed in on the command-line due to the ease of leaking. Should the --token flag be added or no? --token won't be added for now.
• Consider changing the name and form of the X- header. See Cargo alternative registry auth rfcs#3139 (comment) and Cargo alternative registry auth rfcs#3139 (comment) Cargo now uses the www-authenticate header with the Cargo scheme and the login_url value, as in WWW-Authenticate: Cargo login_url="https://test-registry-login/me.
• Will there be any concerns with the interaction with RFC 3231 (asymmetric tokens)?
• Require a credential-provider to be defined in order to use authenticated registries

Stabilization tracked in #8933

Future Extensions

• Support authentication with git indexes. Preferably, cargo will transition to HTTP indexes which will make this not necessary.

About tracking issues

Tracking issues are used to record the overall progress of implementation.
They are also used as hubs connecting to other relevant issues, e.g., bugs or open design questions.
A tracking issue is however not meant for large scale discussion, questions, or bug reports about a feature.
Instead, open a dedicated issue for the specific matter and add the relevant feature gate label.

[tarcieri]

The RFC mentions adding --token to additional commands like install and search, but we are leaning away from allowing tokens from being passed in on the command-line due to the ease of leaking. Should the --token flag be added or no?

I would recommend against providing any sort of secret as a command-line argument.

Command line arguments are exposed to the systemwide process environment, which is a risk to any machine running any sort of untrusted process.

Unless additional steps are taken like adding a leading space, it also exposes the secret to the shell's history, which is persisted to disk.

[Stargateur]

Do registries need a more fine-grained switch for which API commands require authentication?

an app can just ignore the token if wanted

Consider changing the name and form of the X- header. See rust-lang/rfcs#3139 (comment) and rust-lang/rfcs#3139 (comment)

I think X- header are depreciated since RFC 6648 (nevermind second command already say it)

[vasanthkg]

Do we expect the solution for private registry authentication while dependencies download ?

[Eh2406]

Yes, authentication will be sent for artifact download requests.

[vasanthkg]

I am using docker container 'rust:bullseye'

root@aa24ac221e56:/# cargo --version
cargo 1.60.0 (d1fd9fe 2022-03-01)`

And the cargo build fails to download the dependencies crates while i am able to publish the crates successfully.

#21 63.39 error: failed to download from https://example.com/artifactory/api/cargo/cargo-local/v1/crates/messagingapi/0.1.0/download
#21 63.39
#21 63.39 Caused by:
#21 63.39 failed to get 200 response from https://example.com/artifactory/api/cargo/cargo-local/v1/crates/messagingapi/0.1.0/download, got 403
executor failed running [/bin/sh -c cargo build --release]: exit code: 101

[Eh2406]

A tracking issue is however not meant for large scale discussion, questions, or bug reports about a feature.
Instead, open a dedicated issue for the specific matter and add the relevant feature gate label.

@vasanthkg Can you open a dedicated issue?

Also this feature (RFC 3139) does not yet have implementation at this time.

For your report: This is probably a bug with how you have artifactory configured. The Cargo team has limited knowledge of how artifactory works and is set up.