bazelbuild/bazel

Bazel maintains HTTP connection after 401 with failed credential helper

Open

#26726 opened on Aug 8, 2025

View on GitHub
 (10 comments) (2 reactions) (0 assignees)Java (25,384 stars) (4,465 forks)batch import
P2help wantedteam-ExternalDepstype: bug

Description

Description of the bug:

When the credential helper fails in an async manner as documented, the HTTP downloader continues to attempt a download anyway. When this inevitably results in a 401 response, the HTTP downloader is cached in the Bazel server and re-used for all subsequent attempts to download from that server even when the credentials have been updated in the credential helper.

This requires that Bazel is shut down after re-authenticating with the credential helper before it will re-attempt running the credential helper and resolving the 401 error.

The ideal solution would be for the HTTP downloader not to plough on regardless if the credential helper fails. However, if it is desired to do so, then the connection to the upstream should not be cached and therefore allow the credential helper to be invoked once again when a new build command comes in.

Furthermore, this caching of connection completely ignores the expiry provided to Bazel in the credential helper response.

Which category does this issue belong to?

No response

What's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

Use a http_archive to download from a server that requires authentication. Provide the authentication through a credential_helper script. Provide invalid credentials on the first execution of Bazel (exit code 1). Update the script to provide the correct credentials (exit 0 with valid JSON). Note that Bazel still gets 401 from the download.

Which operating system are you running Bazel on?

Linux

What is the output of bazel info release?

release 8.1.1

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

No response

What's the output of git remote get-url origin; git rev-parse HEAD ?

If this is a regression, please try to identify the Bazel commit where the bug was introduced with bazelisk --bisect.

No response

Have you found anything relevant by searching the web?

No response

Any other information, logs, or outputs that you want to share?

No response

Contributor guide

Tech stack
java
Domain
build system
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
JavaBazel build systemHTTP authenticationCredential helper concept
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
Start by examining the HTTP downloader logic in HttpConnectorMultiplexer.java, specifically the code after a credential helper failure (line 149). Investigate how the HTTP connection is cached and reused, and ensure that when a 401 response is received, the connection is not cached and the credential helper is re invoked. Check if there is an expiry mechanism for credentials that is ignored. Also review relevant test files for the downloader.