Option for Windows Integrated Authentication/Single Sign-on

[fedorbirjukov]

What's the problem this feature will solve?

Support private PyPI indexes with integrated windows authentication.

Describe the solution you'd like

Add an option for integrated windows authentication/single sign-on.

See last commit on this branch for the implementation that I am currently using.

Since pip can read its options from the environment, it can be used in two ways:

1. Set pip options in the command

   pip --win-sso install --index-url https://my.org/pypi/simple my-package
   

2. Set pip options in the environment

   set PIP_WIN_SSO=TRUE
   set PIP_INDEX_URL=https://my.org/pypi/simple
   pip install my-package
   

Alternative Solutions

No alternatives yet.

Additional context

This is very similar to Invoke-WebRequest -UseDefaultCredentials in PowerShell, which uses the credentials of the current user to send the web request.

I didn't open a pull request for this because I want to hear your opinions first.

Related to issue #4475 (pip should support custom authentication handlers for private pypi).

[pradyunsg]

Hi! Thanks for filing an issue @fedorbirjukov!

I'm not a Windows user (currently) and definitely not familiar w/ their SSO. Is there some reason you can't use the keyring integration to achieve this?

[fedorbirjukov]

Oh yes, I missed the motivational part. Will try to summarize it below.

The keyring integration requires each user to

• have a valid generic credential in Windows Credentials
• update the password whenever it's changed
  Note that if you forget to update the password saved in credentials, pip will use the old value and you might get locked out of your user account (can be temporarily or require contacting network admin).
• also do that for each service/automation user account (e.g. jenkins)
  Although for these accounts passwords usually don't change that often.

Something else:

• pip cannot access private PyPI index URLs if the index/website uses windows integrated authentication (negotiate NTLM). That means you need to have a second website that uses basic authentication just to use pip.

With windows integrated authentication support you don't have any of these issues.

[pfmoore]

Can keyring not do windows integrated authentication? Could it be updated to add this, if not? My understanding was that the point of keyring integration was to avoid needing pip to support lots of different authentication options, so ideally I'd prefer to go down that route if we could.

[uranusjr]

I think keyring is restricted to authentication methods that can be represented as Basic Auth. The issue here is more like #6708 (Kerberos support), or more generally #4475 (custom authentication handlers), that requires pip to support authenticating the URL with methods other than Basic.

I’m not familiar with Windows Integrated Authentication. Is this a way to do it with requests?

[pfmoore]

@uranusjr Ah yes, that makes sense. I'm still a little hesitant to have pip accumulate lots of this type of feature. Maybe we should have a more generic approach that lets users "plug in" requests extensions like this, without needing pip code changes? This is of course another aspect of the wider "pip should have a plugin API" discussion, but I think that discussing such things based on a specific use case is more helpful than having a general "pip should do plugins" debate.

Basically, I'm in favour of tackling this as a use case for #4475.

Is this a way to do it with requests?

Yes, that's what the OP's implementation does.

[uranusjr]

I’m going to use #4475 as an aggregated tracking issue for all these similar problems, since it is unlikely pip is going to add support for each authentication methods separately.