Preemptive auth in general is bad (this is why clients like Maven does not do them by default).
Still, there are valid user cases when it would be perfectly acceptable to have proxy repository outbound requests which are known to require authentication to use pre-emptive auth.
- the remote is a known internal endpoint that is implicitly trusted
- the remote is known to ALWAYS require auth, instead of for just some URLs
- the connection is over a https connection
- bandwidth needs to be conserved, this type of auth only sends one request with credentials instead of sending two,
- Load (network, disk, CPU) can be reduced
- outbound request logging is reduced ( 1 instead of 2)
- latency to resolve the incoming request is reduced
- Suggestion that the implementation only allow sending pre-emptively if the remote url is https to help avoid leaking credentials in the clear.
- suggestion that this feature could allow whitelisting remote IP addresses, to help assure that if the remote starts responding with 302 redirects to someplace not expected, then pre-emptive auth could make sure this is not a different host
- suggestion to simply not do pre-emptive auth for ANY type of 3xx http redirect
- suggestion to optionally bulk whitelist internal IP subnet by default
This story is to flesh out the value add of this type of authentication for proxy repositories and then decide how to expose the feature to Nexus Administrators in Nexus 3.