httpx icon indicating copy to clipboard operation
httpx copied to clipboard
verified publisher icon encode

follow_redirects and `.netrc` credentials

Open jjagielka opened this issue 3 years ago • 1 comments

httpx uses .netrc credentials for automatic login when http call is triggered, but it does not apply .netrc credentials when doing redirecting (follow_redirects=True)

Site 1 -> Site 2 -> Site 3 If the authorization is required on Site2, follow_redirects won't work even if .netrc contains an entry for that site.

requests does apply .netrc for traversed sites.

This is especially useful if the Site 2 above is a Single Sign On server.

Originally posted by @jjagielka in https://github.com/encode/httpx/discussions/2087

jjagielka avatar Feb 18 '22 14:02 jjagielka

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 27 '22 08:03 stale[bot]

Hi, I'm up for fixing this. I'll be back once I've taken a good look at code to discuss potential solution.

Right now, I think the tricky part is that there might already be an auth_flow running while redirecting, so starting a new nested auth flow might create some issue.

nkitsaini avatar Oct 03 '22 04:10 nkitsaini

I'd suggest that a good approach to starting this off would be...

  • Describe a complete, simple example.
  • Write a test case in tests/client/test_auth.py, using MockTransport to mock the example.
  • Review at this point, so we can be confident that we've properly described how we'd like the behaviour to change.
  • Work on the code changes.

Working on the code changes themselves probably needs to come last, only once we've got this more precisely identified first.

lovelydinosaur avatar Oct 03 '22 08:10 lovelydinosaur

Okay. So... I think having an explicit NetRCAuth class helps clarify a little bit here, because it shows that we have the same kind of behaviour for all our auth classes in this regard.

Which is...

When a cross-domain redirect occurs, we remove the Authorisation header, and don't automatically re-apply it.

If you want a redirect to reapply the auth, then you'd need to handle that explicitly.

If someone would like to help out with documenting this, then I suppose a good start would be to write up an example in this thread which shows how to deal with redirects explicitly.

A starting point for figuring that out would be this part of the docs...

https://www.python-httpx.org/quickstart/#redirection-and-history

You'd want to use request.has_redirect_location, request.next_request and Client.send(request, auth=...).

lovelydinosaur avatar Jan 12 '23 11:01 lovelydinosaur

Given that we now have an explicit NetRCAuth class, and that our cross-domain-redirects behaviour is the same for all our auth classes, I think we can close this one off.

lovelydinosaur avatar Apr 19 '23 12:04 lovelydinosaur