Authentication when downloading package from private registry using oauth2accesstoken fails with 401 Unauthorized

[fellhorn]

Thanks a lot for this project, happy to see the so much progress in the python packaging ecosystem!

I tried to use uv with a private pip repository hosted in Google artifact registry:

> uv pip compile --extra-index-url https://oauth2accesstoken:$(gcloud auth print-access-token)@my-region-python.pkg.dev/my-project/my-repo/simple/ requirements.in

error: Failed to download: my-package==0.7.1
  Caused by: HTTP status client error (401 Unauthorized) for url (https://my-region-python.pkg.dev/my-project/my-repo/my-package/my-package-0.7.1-cp38-abi3-manylinux_2_28_x86_64.whl#sha256=my-sha)

This is the same both for uv pip install and uv pip compile.
It seems like the authentication for listing works (version 0.7.1 is read from the repo, I did not provide it), but the token is not used when downloading.

[gwdekker]

FWIW, I am seeing something very similar for a gitlab-hosted artifact registry. Same error.

[tfcace]

Probably related to #1458

[zanieb]

Should be resolved in the latest version ref #1886

[fellhorn]

Thanks, I can confirm it works now 👍