⚠ This is a hackathon project with no support or quality guarantee
This project is a prototype to make it easier to push packages... and way more secure too!
See this spec for more information: NuGet.org login authentication workflow for dotnet nuget push
Device Flow prompts you to login by providing a link and a code:
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABC to authenticate.
The user opens their browser, navigates to the page, enters the code, and logs in using their Microsoft account. Once logged in, the app receives a token that can used to authenticate on behalf of the user.
Prerequisites:
- Make sure the NuGet server is on (it uses Azure free tier and turns off if there's no activity)
- Navigate to: https://loshar-auth-wus2.azurewebsites.net/
- Wait until the page loads...
- Install the fake NuGet client:
dotnet tool install --global FakeGet --version 0.1.0
Now push a package with interactive mode enabled:
fakeget push <package.nupkg> -s https://loshar-auth-wus2.azurewebsites.net/v3/index.json --interactiveThis will prompt you to login before uploading the package.
- Intro to Device Code Flow
- Create AAD resources for device flow authentication
- Azure's device flow SDK
You can find the following projects in the src directory:
FakeGet- A minimal NuGet client to prototype new authentication mechanismsNuGetServer- A minimal NuGet server to prototype new authentication mechanismsTestClientandTestServer- Minimal apps to test Azure Active Directory's device flow authentication
Here is the breakdown of API keys leaked on GitHub in the last 90 days:
- 52.5% of keys were in configuration files that are triggered automatically
- 47.5% keys were in scripts to manually upload packages
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.