-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker client: fix requests made against bearer token services #480
docker client: fix requests made against bearer token services #480
Conversation
Previous to this commit the requests made against a bearer token service would be lacking the `author` field. That causes the jwt token to have an empty `sub` (Subject) field. [1] The docker registry relies on the `sub` field to know the author of all the requests. When a registry is configured to send notifications [2] the resulting webhooks calls will be missing the author too. This commit fixes the issue by reproducing the same request made by the docker client. [1] https://docs.docker.com/registry/spec/auth/jwt/#getting-a-bearer-token [2] https://docs.docker.com/registry/configuration/#notifications Signed-off-by: Flavio Castelli <fcastelli@suse.com>
@mtrmac PTAL |
Overall, sure, more compatibility with Docker is nice (although this is not in the formal spec at https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md ). OTOH, a server issuing a token with |
besides, it seems moby/moby is already doing that as well:
(I wasn't aware honestly) |
👍
That’s not a “besides”, that’s the only place I could find that the parameter is ever referenced in the current codebase (in particular, I could not find any consumer in the docker/* universe). The value used to be documented before distribution/distribution@fb481ef#diff-825a2678a7f56e92876b5f3813962a1bL135 (September 2015), but even then it was listed as optional and redundant. As for a consumer, there is the referenced https://github.com/SUSE/Portus/blob/46bae5fdb488a02022ad5b0f1af59938e8942de2/app/controllers/api/v2/tokens_controller.rb#L31 in Portus, and I can’t see that the use of Overall, if this were a new protocol proposal, I would be pretty strongly against introducing another field which can be inconsistent with the actually authenticated data; but this is not a concern for the client we are not actually maintaining, while differing from |
I agree with that. Thanks for having merged it. |
Previous to this commit the requests made against a bearer token service would be lacking the
author
field.That causes the jwt token to have an emptysub
(Subject) field.The docker registry relies on the
sub
field to know the author of all the requests. When a registry is configured to send notifications the resulting webhooks calls will be missing the author too.This commit fixes the issue by reproducing the same request made by the docker client.
Some logs
In the next sections you can find some debugging logs obtained by running docker and skopeo against a docker registry configured to use Portus as bearer token.
docker client
This is the authentication request sent to the bearer token service:
The
GET
request hasaccount
set toflavio
, the same value is present into the final bearer token:sub=>"flavio"
.The logs on the docker registry are something like:
As you can see
auth.user.name
is set toflavio
.skopeo - no patch applied
These logs are produced by running this command:
The bearer token service receives this request from skopeo:
As you can see the
GET
request doesn't have theauthor
field, the final jwt token asnil
assub
.Logs from a docker registry using bearer token authentication:
As you can see the
auth.user.name
is empty.skopeo - patched
I rebuilt skopeo with this patch applied. That solves the issue, the logs produced on the bearer token and on the registry are like the ones of the docker client.