NuGet should automatically send credentials after the first request with a HTTP 401 response

[zivkan]

NuGet Product Used

Other/NA

Product Version

all

Worked before?

No response

Impact

Other

Repro Steps & Context

see:

• EPIC: Reduce HTTP 401 responses from servers #12517

After NuGet experiences one HTTP 401 response from a server, sending more unauthenticated requests just increases latency and increases the server workload processing these requests.

Any action where NuGet makes more than 1 HTTP request to a server will reproduce the result. For a V3 feed, since the first request is the service index, it's effectively possible to restore a single package, or open the browse tab in PM UI

In HttpSourceAuthenticationHandler, when a response is a HTTP 401, NuGet needs to check if the WWW-Authenticate header exists, and if so, when it responds with the Basic scheme, NuGet needs to explicitly set the Authorization header on all future requests. If a future 401 response is received, credentials should be re-requested, in case the customer interactively provided a credential and made a typo, or if a cred provider returned a time-limited token that needs to be refreshed.

Since we're going to have to handle Basic authentication ourselves, it would be great to also handle Bearer, since that will enable OAuth2 (including OIDC) credential providers. It should be effectively zero cost to add once Basic is handled.

• Support Bearer token auth in NuGet authentication plugins #12877

We previously tried HttpClientHandler.PreAuthenticate, but there's a bug in the .NET runtime:

• HttpClientHandler with PreAuthenticate enabled can't refresh expired password dotnet/runtime#93340