From 14100d3caea003925d8b43fd0d5641d205780f9f Mon Sep 17 00:00:00 2001
From: Federico Fissore <federico.fissore@nbx.com>
Date: Mon, 26 Apr 2021 14:02:30 +0200
Subject: [PATCH] Requiring keyring authentication when repository returns 403
 Fixes #9870

---
 news/9870.bugfix.rst              | 1 +
 src/pip/_internal/network/auth.py | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)
 create mode 100644 news/9870.bugfix.rst

diff --git a/news/9870.bugfix.rst b/news/9870.bugfix.rst
new file mode 100644
index 00000000000..6f906d846f9
--- /dev/null
+++ b/news/9870.bugfix.rst
@@ -0,0 +1 @@
+This fixes a keyring auth issue when internal pip repos return 403 rather than 401
diff --git a/src/pip/_internal/network/auth.py b/src/pip/_internal/network/auth.py
index bd54a5cba99..20313069807 100644
--- a/src/pip/_internal/network/auth.py
+++ b/src/pip/_internal/network/auth.py
@@ -210,7 +210,7 @@ def __call__(self, req):
             # Send the basic auth with this request
             req = HTTPBasicAuth(username, password)(req)
 
-        # Attach a hook to handle 401 responses
+        # Attach a hook to handle 401, 403 responses
         req.register_hook("response", self.handle_401)
 
         return req
@@ -236,9 +236,9 @@ def _should_save_password_to_keyring(self):
 
     def handle_401(self, resp, **kwargs):
         # type: (Response, **Any) -> Response
-        # We only care about 401 responses, anything else we want to just
+        # We only care about 401 and 403 responses, anything else we want to just
         #   pass through the actual response
-        if resp.status_code != 401:
+        if resp.status_code not in [401, 403]:
             return resp
 
         # We are not able to prompt the user so simply return the response