-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support IdentityToken in registry authn #829
Conversation
f435102
to
513fe8c
Compare
357c295
to
78f0400
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Just a quick first look.
It is a public API, and most of the |
I can keep the "GetAuthentication" interface intact, and create a new interface for the bearer token code path. "GetAuthentication" can internally call the new function and only expose username and password. Any preference on the name of the new API? "GetAuthenticationDocker" or "GetAuthenticationOauth2"? |
78f0400
to
4e92f3a
Compare
4e92f3a
to
02cce69
Compare
@mtrmac PTAL at the latest change. Addressed your comments. |
@vrothberg PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM but I want @mtrmac to have another look.
I guess we need to support that in the kernel keyring once we enable support for it.
3c6aa72
to
617ad75
Compare
Force push to rebase to latest master. |
(I know, bikeshedding…) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, and I apologize for the delay.
This is a full review now. Highlights:
- The
GetAuthenticationOAuth2
naming - Behavior of
GetAuthentication
with OAuth2 configuration - The
account
removal on GET token requests.
617ad75
to
3fa066e
Compare
Addressed the review. Created a separate commit so it's easier to track the change. I can squash the commits together if needed. @mtrmac |
3fa066e
to
be0e42f
Compare
Force push to rebase master. |
I will do another review tomorrow (unless it's merged before :-)). But before merging, @yihuaf could you squash the commits into one? |
I can certainly do that :) |
be0e42f
to
8dfc0a0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the update!
7f0b781
to
a77e2c2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One last nit.
Adding the support for using identitytoken in the .docker/config.json files. Azure Container Registry is one of the case that uses this. Signed-off-by: yihuaf <fang.yihua.eric@gmail.com>
a77e2c2
to
31d443d
Compare
done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks!
Adding the support for using identitytoken in the .docker/config.json
files. It's part of oauth2 and Azure Container Registry is one of the case that uses this.
Since containers/image implemented it's own docker registry client, we want to make it working with oauth2. The identitytoken can be used to get an access/bear token in place of password. Instead of setting basicAuth in the request, we follow the oauth2 definition to send a post request with grant_type.
Reference:
Test: Tested with podman and logging into azure container registry, which uses identitytoken.
Concern: This patch changed the
config.GetAuthentication
interface, which is used by podman directly. Not sure if this is intended behaviour for podman to access GetAuthentication directly.close #748
This is the base to fix these: containers/skopeo#533 and containers/podman#4357.
Signed-off-by: yihuaf fang.yihua.eric@gmail.com