Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proper token authentication integration #57

Open
igoras1993 opened this issue Aug 18, 2020 · 3 comments
Open

Proper token authentication integration #57

igoras1993 opened this issue Aug 18, 2020 · 3 comments

Comments

@igoras1993
Copy link

Actually, so far implementation of CAS (Central Authorization Service) integration should work in many cases. There WERE some bugs however.

  • Bearer token is actually not included in the request, because Authorization header will be always overwritten by a Basic auth part. The result is that even if proper token were obtained, requests were not authorized at all.
  • Requests to the CAS have wrong URI construction scheme. /v2/token part is not always correct assumption. Address of token service should be discovered from v2 request.

Fixing thise two problems will bring token authentication to work. But it still does not follow 'protocol' described here. Implementation is rather straightforward:

  1. Perform ordinary request to docker registry
  2. If getting 401 response code, look for WWW-Authenticate header, extracting realm and scope parameters.
  3. Perform a GET request:
    3.1. Use address given in realm,
    3.2. Send scope along with parameters,
    3.3. Use Basic Authentication to pass username and password
  4. Obtain token from the response
  5. Resend original request to docker registry, but this time place obtained token in Authentication: Bearer <...> header.

There also can be some caching performed on tokens to improve performance.
@igoras1993
Copy link
Author

I will use Your implementation because of good code quality. However, I need the token part to work correctly. I've forked Your repo, and have implemented fixes and some improvements (see master...igoras1993:fix_ca_auth).

Some time has passed since last update to this code, and one of the tests was not passing because of updates in docker registry v2 image on docker hub. I've just froze the image tag to 2.6.0 in registry fixture declaration and all pytest tests are now passing. However, I was not able to properly run tox on that project, mainly because lack of my knowledge. Also, I did not implement tests for auth part (but there was none already...), mocking up auth service will take some time, but probably I will do that in the future too.

Please, tell me if You are still willing to maintain this project, so I will submit a pull request.

@djmattyg007
Copy link

Hello. Since this package appears to be abandoned, I forked it and made various improvements. This includes overhauling how the auth service works. While I haven't explicitly tested it with Docker Hub or Gitlab, it should be flexible enough now to use with either.

I'd appreciate it if you could give it a go and let me know what you think:

https://github.com/djmattyg007/dreg-client

If you run into issues authenticating with various providers, I'd really appreciate your feedback, and am willing to integrate support for other providers into the package.

@igoras1993
Copy link
Author

I will try it ass soon as I find some time! Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@djmattyg007 @igoras1993