Clarify docs example for keyring subprocess auth with Google Artifact Registry

[MichelEdkrantz]

Description

Hi,
thanks for the great additions with keyrings in pip 23.1 :) I discovered that the docs here https://pip.pypa.io/en/stable/topics/authentication/ on auth is missing some vital info for auth with Google Artifact Registry.

Trying to use the new keyring delegation calling with

Does not work
pip install --no-input --keyring-provider=subprocess --index-url=https://us-east4-python.pkg.dev/<project>/<repo>/simple <package_name>

Does work
pip install --no-input --keyring-provider=subprocess --index-url=https://[email protected]/<project>/<repo>/simple <package_name>

It seems the username needs to be oauth2accesstoken. It was only obvious after digging deep into the code for
keyrings.google-artifactregistry-auth that this is a hard coded username, and any username provided to the CLI is ignored.

The CLI interface in keyrings could be more obvious and also return the overridden username, but that's not for pip to solve i guess.

Expected behavior

Update docs to state that this username needs to be used for any usage with Google Artifact Registry

pip version

23.1

Python version

3.11

OS

Mac

How to Reproduce

You need a working Google Artifact Registry setup. See description

Output

No response

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[uranusjr]

This looks like something that should be covered by keyrings.google-artifactregistry-auth? pip only provides an iterface to inject credentials; how the injection is actually performed in up to each keyring integration.

[MichelEdkrantz]

Yes agree. I still think it could be very useful for getting developers all the way through using the docs, since it is already giving some hints on how to integrate with both Google and Azure.
I have a feeling that more people will get this error over time, so wanted to leave some internet trail of a possible solution.

[uranusjr]

If the suggestion is to add references to direct people to the relevant documentation, I’m for it. I do not think pip should involve in documenting how to set up individual keyring integrations though, since that changes with those projects and pip maintainers are not in the position to document things for them.

[PeterJCLaw]

#11827 seems maybe relevant here? Having a way to specify the username to use (so it doesn't need to be repeated in every --extra-index-url) would solve other things -- notably GitHub Dependabot's private pypi config doesn't like urls which already have a username in them.

I realise that's not a pip thing specifically as it's kinda keyring which isn't returning the username, however it is something pip could ease and which might be useful in general.