Missing support for HTTP authentication prompts

[andreastt]

https://www.w3.org/Bugs/Public/show_bug.cgi?id=28802

csnover:

There is currently no way to handle HTTP authentication prompts when navigating to a page, only pre-authentication with username/password in the URL works (and, apparently, not without workarounds in some browsers like IE).

Related Selenium issue with links to more background and other information: SeleniumHQ/selenium#453

[haroon-sheikh]

@andreastt Any chance we can prioritise this please?

[andreastt]

@haroon-sheikh It is scheduled for level 2 of the specification, so we will likely discuss this at the next F2F in November. However, implementors are currently focussing on level 1 conformance.

[andreastt]

This is a discussion on how to handle HTTP basic access authentication in WebDriver, and not about how to circumvent or work around the current API’s shortcomings.

I alluded in an earlier comment that basic auth might be handled by a new permissions API in general, but this API wound up being tied closely to the Permissions API standard. They are now extending WebDriver which makes it possible to control permissions for a range of web APIs, but since basic auth isn’t part of this standard we still need to find a solution for how to handle this in WebDriver.

[shs96c]

Authentication isn't always via a username and password. Other valid forms include OTPs, and security tokens. Any API for authentication added to webdriver should support those other mechanisms too.

[DavidGangel]

I would say OTP is out of the scope of this ticket. This is usually implemented by a 3rd party service which redirects you to a webpage. In turn a webpage can be handled by selenium.
Security token can not be used securely in a cloud environment like sauce, so that is kind is out of the scope as well.

[shs96c]

NTLM and FaceID are both authentication mechanisms baked into browsers that we need to support. The idea isn't specifically about OTP, it's about the fact that browser-based authentication via modal dialogs owned by the browser aren't always just username and password. My apologies for not making that clearer.

[haroon-sheikh]

@andreastt Do you know where does the priority sit now? When are we planning to make a start on Level 2 conformance?

[andreastt]

I believe most vendors are hesitant to start new feature work before they are in complete conformance with the existing specification.

[whimboo]

It's been a while since TPAC and I wonder if we can make a bit of progress on this issue given that it blocks a couple of people correctly implementing their tests.

Sadly the minutes don't mention someone who should take action on it, but in the final lines Simon asked Brian, if that is a sensible approach and he agreed. So @burg I would like to kindly ask if you would have the time to write down the spec changes?

[burg]

I do not have the bandwidth to develop this endpoint at this time.

…

On Feb 18, 2019, at 7:37 AM, Henrik Skupin ***@***.***> wrote: It's been a while since TPAC and I wonder if we can make a bit of progress on this issue given that it blocks a couple of people correctly implementing their tests. Sadly the minutes don't mention someone who should take action on it, but in the final lines Simon asked Brian, if that is a sensible approach and he agreed. So @burg <https://github.com/burg> I would like to kindly ask if you would have the time to write down the spec changes? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#385 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAEUGCsnQc0qPMqTGjaPY7oNfRFcyO08ks5vOsjHgaJpZM4KNosO>.

[lkord]

any change in this matter?

[vaibhavtripathi]

Since Chrome does not support in-URL auth (https://medium.com/@lmakarov/say-goodbye-to-urls-with-embedded-credentials-b051f6c7b6a3) since v59, are there plans of increasing the priority of this?

[whimboo]

@AutomatedTester who basically could take this up nowadays?

[walter-hernandez]

What is the priority for this?

[AutomatedTester]

At the moment this is not a priority for me. If someone wants to write the prose I will gladly edit it and get it merged.

[dwt]

Hi David,

At the moment this is not a priority for me. If someone wants to write the prose I will gladly edit it and get it merged.

Since I am not too familiar with the project - what would be required to get this to go forward? I am sure there are enough people on this bug report to collaborate on a pull request to move this forward. Beste Regards, Martin Häcker

[AutomatedTester]

You will need to update the details in https://github.com/w3c/webdriver/blob/master/index.html#L1479-L1641 on how to set the authentication. It will need to know how to handle the data coming in from a Selenium binding.

…

On Thu, Mar 12, 2020 at 8:37 PM ***@***.***> wrote: Hi David, > At the moment this is not a priority for me. If someone wants to write the prose I will gladly edit it and get it merged. > Since I am not too familiar with the project - what would be required to get this to go forward? I am sure there are enough people on this bug report to collaborate on a pull request to move this forward. Beste Regards, Martin Häcker — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#385 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA7MBU6EJK7S3XUK4FXWNTRHFBYLANCNFSM4CRWRMHA> .

[walter-hernandez]

@AutomatedTester would something like what selenium-wire incorporated to handle requests and use proxies that require basic authentication be what could inspire the handling of basic authentication here?

[AutomatedTester]

We are not documenting what Selenium does here, we need to document what the browser needs to do in the case that it requires basic authentication. As mentioned in a previous comment you will need to add in prose there that describes what needs to happen

…

On Tue, Mar 17, 2020 at 2:04 PM walter-hernandez ***@***.***> wrote: @AutomatedTester <https://github.com/AutomatedTester> would something like what selenium-wire <https://github.com/wkeeling/selenium-wire> incorporated to handle requests and use proxies that require basic authentication be what could inspire the handling of basic authentication here? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#385 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA7MBRTGA5YGZCLVJIXRDLRH57O7ANCNFSM4CRWRMHA> .

[lukehamil55]

Any priority for this?

[dwt]

It seems that the current workaround is to use use selenium support for the BIDI API to solve this problem. AFAIK it currently only works with Chrome/Chromium.

I don't see any movement happening on this until we from the community create pull requests for the relevant specification in the webdriver spec, as the current maintainers seem to have moved on?

[lukehamil55]

Any workarounds in headless Python Chrome Selenium without spinning up XVFB display for extension cycling (unreliable on Lambda) and without using SeleniumWire (blocked due to TLS fingerprint)?