Skip to content

fix(auth): prioritize OAuth credentials over anonymous fallback#1089

Merged
stevemessick merged 2 commits into
Kaggle:mainfrom
adityabavadekar:fix/anonymous-auth-fallback
Jul 2, 2026
Merged

fix(auth): prioritize OAuth credentials over anonymous fallback#1089
stevemessick merged 2 commits into
Kaggle:mainfrom
adityabavadekar:fix/anonymous-auth-fallback

Conversation

@adityabavadekar

@adityabavadekar adityabavadekar commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR fixes an authentication flow issue where OAuth credentials could be skipped for commands that also support anonymous access.

Issue

The authentication flow checked for anonymous-compatible commands before attempting OAuth authentication.

As a result, commands such as:

kaggle datasets download <private-dataset>

could run anonymously even when the user was authenticated via kaggle auth login. This caused requests for private resources to fail with 403 Forbidden or 404 Not Found errors.

Fix

  • Moved the anonymous fallback to the end of the authentication flow.
  • Check OAuth credentials before falling back to anonymous access.
  • Added unit tests for the authentication flow.

Behavior

Before

$ kaggle datasets download <private-dataset>
403 Client Error: Forbidden for url: ...

After

$ kaggle datasets download <private-dataset>

Dataset URL: https://www.kaggle.com/datasets/<owner>/<dataset>
License(s): ...
Downloading <dataset>.zip...

Authentication Order

Before:

  1. Access token
  2. Legacy API key or anonymous fallback
  3. OAuth credentials

After:

  1. Access token
  2. Legacy API key
  3. OAuth credentials
  4. Anonymous fallback (if supported by the command)

Move the anonymous fallback to the end of the authentication flow so
OAuth credentials are checked before falling back to anonymous access.

Anonymous-compatible commands could return early before checking OAuth
credentials, causing authenticated users to make anonymous requests and
preventing access to private resources.

Add unit tests for the authentication flow.
@stevemessick

Copy link
Copy Markdown
Contributor

/gcbrun

@stevemessick

Copy link
Copy Markdown
Contributor

@erdalsivri Could you take a quick look at this one? I think it is fine but would like an expert's opinion.

@stevemessick stevemessick left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can ignore test_competition_create.py but test_authenticate.py should be reformatted.

@erdalsivri erdalsivri left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

return
if self._authenticate_with_oauth_creds():
return
if self._authenticate_anonymously():

@erdalsivri erdalsivri Jul 1, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! If I understand correctly, we call the legacy auth method first, which returns true even if there is no token but the command supports anonymous. Now we do that check last so OAuth token will be used (if exists) for all commands.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, exactly. Previously, the legacy auth and anonymous fallback were handled inside the same method (_authenticate_with_legacy_apikey). Because it checked them together, anonymous-friendly commands could return True early, blocking OAuth from being evaluated.

Now the two are completely separated, OAuth gets checked first, and anonymous access is a fallback at a late stage.

@stevemessick

Copy link
Copy Markdown
Contributor

Great! Looks like this will be ready to merge once the formatting is fixed.

@adityabavadekar adityabavadekar force-pushed the fix/anonymous-auth-fallback branch from 8e5d2e8 to 3b49ec7 Compare July 2, 2026 05:30
@stevemessick

Copy link
Copy Markdown
Contributor

/gcbrun

@stevemessick stevemessick merged commit a430f0b into Kaggle:main Jul 2, 2026
8 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants