Fix bearer token invalidation bug by calling AddResponses() twice on …

…401 errors
awslabs · Aug 3, 2023 · 9958f9a · 9958f9a
1 parent add8c0b
commit 9958f9a
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/fs/remote/resolver.go b/fs/remote/resolver.go
@@ -258,7 +258,23 @@ func (tr *transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	if resp.StatusCode == http.StatusUnauthorized {
 		log.G(ctx).Infof("Received status code: %v. Refreshing creds...", resp.Status)
 
-		// prepare authorization for the target host using docker.Authorizer
+		// Prepare authorization for the target host using docker.Authorizer.
+		// The docker authorizer only refreshes OAuth tokens after two
+		// successive 401 errors for the same URL. Rather than issue the same
+		// request multiple times to tickle the token-refreshing logic, just
+		// provide the same response twice to trick it into refreshing the
+		// cached OAuth token. Call AddResponses() twice, first to invalidate
+		// the existing token (with two respones), second to fetch a new one (
+		// with one response).
+		// TODO: fix after one of these two PRs are merged and available:
+		//     https://github.com/containerd/containerd/pull/8735
+		//     https://github.com/containerd/containerd/pull/8388
+		if err := tr.auth.AddResponses(ctx, []*http.Response{resp, resp}); err != nil {
+			if errdefs.IsNotImplemented(err) {
+				return resp, nil
+			}
+			return nil, err
+		}
 		if err := tr.auth.AddResponses(ctx, []*http.Response{resp}); err != nil {
 			if errdefs.IsNotImplemented(err) {
 				return resp, nil