id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28207	contrib.auth.authenticate() doesn't work correctly if multiple auth backends don't accept a position request argument	Tamas Szabo	nobody	"Django 1.11 introduced the new `request` positional argument for the `authenticate` method.

Unfortunately, it looks like the implementation has a bug. The credentials parameter received by the function can be mutated to adapt the keyword arguments when calling the backend:

https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L92

However, the variable isn't reset at the top of the loop (like `args` is) so the following backend(s) will be processed as if `request` was in the `**credentials`` dictionary.

As a result both

https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L72
and
https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L77

will always fail with type errors, because the `request` argument is passed in twice into them.






"	Bug	closed	contrib.auth	1.11	Release blocker	fixed			Accepted	1	0	0	0	0	0