Thanks for the proposal! I think this is a much-needed feature. Here are some thoughts:
- Is it enough to assume that the credentials are set through headers? For example, could a service expect credentials to be e.g. embedded in the URL? (I believe the proposed JSON reply format could be naturally extended to support it; my question is primarily whether such a need already exists today.)
- Should the design allow for providing multiple credential helpers to Bazel, so that users don’t have to write their own URL pattern matching? I can imagine two ways of doing this:
- Bazel receives a list of helpers and queries each one in turn until it obtains a successful response (but this is potentially inefficient?)
- Bazel receives a mapping from URL to helper. The key could potentially contain wildcards, so that e.g. a family of services service1.foo.com
, ..., serviceN.foo.com
sharing the same credentials would only require a single *.foo.com
- The proposal should clarify what it means for a helper to "fail": does it return a nonzero exit code? What if the exit code is zero, but the response is empty - would that mean "no credentials are required"?
- Is a credential helper allowed to be user-interactive? For example, if a service requires a browser authentication flow or security key touch to obtain credentials, is it acceptable to trigger it from the helper? (I think this is potentially a bad idea, but I could be convinced.)
- The proposal probably should clarify the relative priority of --credentials_helper and other authentication flags that already exist in Bazel.