Poetry ignoring credentials in source url?

Discussed in https://github.com/orgs/python-poetry/discussions/6629

^{Originally posted by keriksson-rosenqvist September 26, 2022} I am trying to set up a poetry environment which pulls a certain package from a private pypi-like registry. As I am sharing the project with others via a git repository, I want the setup to be contained within the pyproject.toml file, i.e. not rely on configs, environment variables, or keyring settings that may differ between user devices. I have therefore added a source with the basic http credentials included in the url. The exact same url is able to install the package and it’s dependencies through pip install -i https://<username:password>@[REDACTED]/pypi/simple/ my-private-package

[tool.poetry.dependencies]
my-private-package = { version = "^2.0.0", source = "my_private_package"}
...
[[tool.poetry.source]]
name = "my_private_package"
url = "https://<username:password>@[REDACTED]/pypi/simple/"
secondary = true

I’ve set secondary = true as that lets dependencies be installed from the normal pypi, otherwise poetry also fails to install them.

According to this issue, others have been seemingly been able to get it working with the credentials in the url, however with the setup above raises the following error for me.

$ poetry update
Updating dependencies
Resolving dependencies... (1.7s)

401 Client Error:  for url: https://[REDACTED]/pypi/download/my-private-package/2/my_private_package-2.0.0-py3-none-any.whl#sha256=[REDACTED]

Is this a bug, am I setting it up wrong, or has there been a change to the usage since the mentioned issue was able to get it to work?</div>