Is it possible to use a JSON Web Token/JWT in a pip.conf file?

Question

I'm trying to make it possible for my application to fetch a package from a private feed in Azure DevOps using pip and a pip.conf file. I don't want to use a PAT for obvious reasons, so I've created a service principal for the app. The app can retrieve a JWT with the service principal, which I would like to put into the pip.conf file instead of my PAT. Now my question is pretty simple, but I really couldn't find an answer even after hours of searching the internet:

Is it possible to use a JWT in a pip.conf file?

The file looks like this, and I would like to put the JWT where the PAT normally goes:

[global]
extra-index-url=https://<JWT>@pkgs.dev.azure.com/<myfeed>/pypi/simple/

Is this syntax possible, and if not, is there another way to use a JWT to authenticate with pip?

Thanks in advance!

Answer 1

Is this syntax possible, and if not, is there another way to use a JWT to authenticate with pip?

No, JWT is not supported in the syntax. You can check below alternatives:

If you are using devops pipeline to install the package, you can use system.accesstoken instead of PAT to authenticate with the feed. Just make sure you have set the job acccess token properly, add Project Collection Build Service ({OrgName}) or {Project Name} Build Service ({Org Name}) to the feed as contributor accordingly.

For feeds in same devops organization.

- task: Bash@3
  inputs:
    targetType: 'inline'
    script: |
      pip install twine keyring artifacts-keyring
      python -m pip install --upgrade pip
      export PIP_INDEX_URL='https://build:$(system.accesstoken)@pkgs.dev.azure.com/{orgname}/_packaging/{feedname}/pypi/simple'
      pip install simple-package

If the feed is in another organization which is different with pipeline, but the organizations are linked to same Azure Active Directory, you can set the outside feed as upstream source. If the organization are linked to different azure active directory, you can use task below which needs a python service connection(username&password, or personal access token to create).

  - task: TwineAuthenticate@0
    displayName: Configure twine authentication
    inputs:
      artifactFeeds: '$(artifactFeed)'
      externalFeeds: 'ExternalPythonFeed'

Another way is use rest api Python - Download Package to download the file, and install python package. steps:

1. Add the service principal as DevOps user, and add to the target project.

2. Add the service principal as contributor/reader role on the feed role setting.

3. az login with service principal, and get the token(az account get-access-token)

4. Use the token as bear token for the rest api to download the python feed package file.

5. Install the package.