Support IdentityToken in registry authn

[yihuaf]

Adding the support for using identitytoken in the .docker/config.json
files. It's part of oauth2 and Azure Container Registry is one of the case that uses this.

Since containers/image implemented it's own docker registry client, we want to make it working with oauth2. The identitytoken can be used to get an access/bear token in place of password. Instead of setting basicAuth in the request, we follow the oauth2 definition to send a post request with grant_type.

Reference:

1. Docker registry oauth2 documentation: https://docs.docker.com/registry/spec/auth/oauth/
2. Azure Container Registry oauth2 documentation: https://github.com/Azure/acr/blob/7eddc1c5866ce5cc80e95df37d9d119e70d8c15e/docs/AAD-OAuth.md

Test: Tested with podman and logging into azure container registry, which uses identitytoken.

Concern: This patch changed the config.GetAuthentication interface, which is used by podman directly. Not sure if this is intended behaviour for podman to access GetAuthentication directly.

close #748
This is the base to fix these: containers/skopeo#533 and containers/podman#4357.

Signed-off-by: yihuaf fang.yihua.eric@gmail.com

[mtrmac]

Thanks! Just a quick first look.

[mtrmac]

Concern: This patch changed the config.GetAuthentication interface, which is used by podman directly. Not sure if this is intended behaviour for podman to access GetAuthentication directly.

It is a public API, and most of the config subpackage exists for podman {login, logout}, so ti is intended in that sense. This PR should keep that code, unmodified, working for user name+password autentication. Podman might well want to add extra support for the identity token, and in that case it can migrate to a new API.

[yihuaf]

Concern: This patch changed the config.GetAuthentication interface, which is used by podman directly. Not sure if this is intended behaviour for podman to access GetAuthentication directly.

It is a public API, and most of the config subpackage exists for podman {login, logout}, so ti is intended in that sense. This PR should keep that code, unmodified, working for user name+password autentication. Podman might well want to add extra support for the identity token, and in that case it can migrate to a new API.

I can keep the "GetAuthentication" interface intact, and create a new interface for the bearer token code path. "GetAuthentication" can internally call the new function and only expose username and password. Any preference on the name of the new API? "GetAuthenticationDocker" or "GetAuthenticationOauth2"?

[yihuaf]

@mtrmac PTAL at the latest change. Addressed your comments.

[rhatdan]

@vrothberg PTAL

[vrothberg]

LGTM but I want @mtrmac to have another look.

I guess we need to support that in the kernel keyring once we enable support for it.

[yihuaf]

Force push to rebase to latest master.

[mtrmac]

I can keep the "GetAuthentication" interface intact, and create a new interface for the bearer token code path. "GetAuthentication" can internally call the new function and only expose username and password. Any preference on the name of the new API? "GetAuthenticationDocker" or "GetAuthenticationOauth2"?

(I know, bikeshedding…) GetAuthenticationStruct? It is not only for OAuth2. Or, maybe, I never really liked the “authentication” noun here - GetCredentials?

[mtrmac]

Thanks, and I apologize for the delay.

This is a full review now. Highlights:

• The GetAuthenticationOAuth2 naming
• Behavior of GetAuthentication with OAuth2 configuration
• The account removal on GET token requests.

[yihuaf]

Addressed the review. Created a separate commit so it's easier to track the change. I can squash the commits together if needed. @mtrmac

[yihuaf]

Force push to rebase master.

[vrothberg]

I will do another review tomorrow (unless it's merged before :-)). But before merging, @yihuaf could you squash the commits into one?

[yihuaf]

I will do another review tomorrow (unless it's merged before :-)). But before merging, @yihuaf could you squash the commits into one?

I can certainly do that :)

[mtrmac]

Thanks for the update!

[mtrmac]

One last nit.

[yihuaf]

One last nit.

done.

[mtrmac]

LGTM. Thanks!