Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revisiting custom authentication. #3383

Open
tomchristie opened this issue Oct 30, 2024 · 2 comments
Open

Revisiting custom authentication. #3383

tomchristie opened this issue Oct 30, 2024 · 2 comments
Labels
api change PRs that contain breaking public API changes

Comments

@tomchristie
Copy link
Member

tomchristie commented Oct 30, 2024
edited
Loading

Let's have a go at simplifying our custom authentication API.

We have an existing API using generators and an "auth_flow". (Fantastic at the time, tho now the codebase has matured, I think? can be simplified.)

I assume the following base API would be sufficient for almost all authentication use-cases...

class Auth:
    def authenticate_request(request: Request) -> Request:
        # Most authentication schemes only need to override this method.
        return request 

    def authenticate_response(response: Response) -> Request | None:
        # Challenge-response authentication schemes may override this method,
        # Allows a second request to optionally be made, once a server challenge is received.
        return None

It's feasible that there are might(???) be some exceptional cases where this might not be sufficient, but we have a "Transport API" that allows completely customising the entire request/response implementation. That'd be adequate for anyone needing to implement an oddball multi-stage authentication scheme.

Moderately involved, tho likely still suitable for a new contributor to deal with.

Checklist...

  • Update the base Auth class as above.
  • Update the BasicAuth, DigestAuth and NetRCAuth classes to use the new API.
  • Update the auth handling in _client.py.
  • Update the documentation.
  • Update tests as required.

Simplicity ftw.
@tomchristie tomchristie added the api change PRs that contain breaking public API changes label Oct 30, 2024
@tomchristie
Copy link
Member Author

(Some potentially subtleties around dealing with async cases, let's talk those through as we get there.)

@da1910
Copy link

da1910 commented Jan 6, 2025
edited
Loading

I don't know if we managed to get to the bottom of how we can support Channel Binding in Negotiate authentication. That's likely one of the edge cases where we do need more information.

This KB article explains how it works, somewhat but the gist is that you need to access information from the SSL connection and include it in the authentication flow.

There are plenty of enterprise apps that make use of Kerberos/Windows Authentication and it would be nice if we could support those with httpx, at the moment it's a blocker for adoption if you have to work with these services.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api change PRs that contain breaking public API changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomchristie @da1910