You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Azure Container Registry integration with Azure Active Directory
The Azure Container Registry allows users to manage a private Docker registry on the cloud. Our service enables customers to store and manage container images across all types of Azure deployments, keep container images near deployments to reduce latency and costs, maintain Windows and Linux container images in a single Docker registry, use familiar, open-source Docker command line interface (CLI) tools, and simplify registry access management with Azure Active Directory.
The integration of Azure Container Registry with Azure Active Directory is crucial in order to enable transparent authentication and authorization of users and headless services using AAD credentials. In this scenario, a user will only have to use their AAD credentials to log-in to their private registry, and the Azure Container Service will take care of the authorization validation of each operation using the provided credentials.
The process to log in to the registry, from the user's perspective, is simple. The user will use the Microsoft Azure CLI 2.0:
az acr login -n contosoregistry
Internally, the CLI will follow these steps:
Calls to Azure Resource Manager to resolve the login server for the specified registry.
Obtains refresh credentials from the profile in use. For a headless call, this will give you the registered SPN, for a regular user this will give you a refresh token.
Makes an HTTPS GET call to the registry server's /v2 endpoint, without credentials. A bearer token authentication challenge is expected, specifying realm and service values. The realm contains the authentication server's URL.
Makes an HTTPS POST call to the authentication server's /oauth2/exchange endpoint, with a body indicating the grant type, the service, the tenant, and the credentials.
From the server's response, we extract an Azure Container Registry refresh token.
Pass the refresh token as the password to the Docker CLI, using a null GUID as the username and calling docker login. From here on, the docker CLI takes care of the authorization cycle using oauth2.
At the end Docker will store the refresh token and go through the oauth2 flow on each operation it does against the Azure Container Registry.
Listing a repository
The Microsoft Azure CLI 2.0 allows users to also list the repositories registries, and list tags for a repository in a registry. Here's how users can achieve listing the repositories in a registry:
az acr repository list -n contosoregistry
Internally, the CLI will follow these steps:
Calls to Azure Resource Manager to resolve the login server for the specified registry.
Obtains refresh credentials from the profile in use. For a headless call, this will give you the registered SPN, for a regular user this will give you a refresh token.
Makes an HTTPS GET call to the registry server's /v2 endpoint, without credentials. A bearer token authentication challenge is expected, specifying realm and service values. The realm contains the authentication server's URL.
Makes an HTTPS POST call to the authentication server's /oauth2/exchange endpoint, with a body indicating the grant type, the service, the tenant, and the credentials.
From the server's response we extract an Azure Container Registry refresh token.
Makes an HTTPS POST call to the authentication server's /oauth2/token endpoint, with a body indicating the grant type, the service, the scope, and the Azure Container Registry refresh token.
From the server's response we extract an Azure Container Registry access token.
Makes an HTTPS GET call to the registry server's /v2/_catalog endpoint using the access token as the bearer token.
Obtains the data from the service and displays it.
When listing the tags of a repository, every step above is the same except for the call to the endpoint that gives the tags which is /v2/contosoregistry/tags/list instead of /v2/_catalog.
Azure Container Registry Refresh Token and Access Token
Let's follow an example call to list a repository:
az acr repository list -n contosoregistry
This will produce a JWT refresh token with the following payload:
DavidObando
changed the title
Prepare documentation for ACR and AAD integration.
Azure Container Registry integration with Azure Active Directory - doc in progress
Mar 2, 2017
DavidObando
changed the title
Azure Container Registry integration with Azure Active Directory - doc in progress
Prepare documentation for ACR and AAD integration
Mar 2, 2017
Azure Container Registry integration with Azure Active Directory
The Azure Container Registry allows users to manage a private Docker registry on the cloud. Our service enables customers to store and manage container images across all types of Azure deployments, keep container images near deployments to reduce latency and costs, maintain Windows and Linux container images in a single Docker registry, use familiar, open-source Docker command line interface (CLI) tools, and simplify registry access management with Azure Active Directory.
The integration of Azure Container Registry with Azure Active Directory is crucial in order to enable transparent authentication and authorization of users and headless services using AAD credentials. In this scenario, a user will only have to use their AAD credentials to log-in to their private registry, and the Azure Container Service will take care of the authorization validation of each operation using the provided credentials.
Under the hood Azure Container Service utilizes the oauth2 authorization protocol, as described by the Docker Registry v2 authentication via central service documentation as well as the Docker Registry v2 Bearer token specification. The JWT tokens generated by the Azure Container Registry are easy to observe in jwt.io.
Logging into a registry
The process to log in to the registry, from the user's perspective, is simple. The user will use the Microsoft Azure CLI 2.0:
Internally, the CLI will follow these steps:
/v2
endpoint, without credentials. A bearer token authentication challenge is expected, specifying realm and service values. The realm contains the authentication server's URL./oauth2/exchange
endpoint, with a body indicating the grant type, the service, the tenant, and the credentials.docker login
. From here on, the docker CLI takes care of the authorization cycle using oauth2.At the end Docker will store the refresh token and go through the oauth2 flow on each operation it does against the Azure Container Registry.
Listing a repository
The Microsoft Azure CLI 2.0 allows users to also list the repositories registries, and list tags for a repository in a registry. Here's how users can achieve listing the repositories in a registry:
Internally, the CLI will follow these steps:
/v2
endpoint, without credentials. A bearer token authentication challenge is expected, specifying realm and service values. The realm contains the authentication server's URL./oauth2/exchange
endpoint, with a body indicating the grant type, the service, the tenant, and the credentials./oauth2/token
endpoint, with a body indicating the grant type, the service, the scope, and the Azure Container Registry refresh token./v2/_catalog
endpoint using the access token as the bearer token.When listing the tags of a repository, every step above is the same except for the call to the endpoint that gives the tags which is
/v2/contosoregistry/tags/list
instead of/v2/_catalog
.Azure Container Registry Refresh Token and Access Token
Let's follow an example call to list a repository:
This will produce a JWT refresh token with the following payload:
Followed by an access token with the following payload:
The text was updated successfully, but these errors were encountered: