-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Follow Docker Token Authentication Specification #341
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
joshspicer
changed the title
refactor oci http auth code into a new file, and implement using wwwA…
Follow Docker Token Authentication Specification
Dec 22, 2022
joshspicer
force-pushed
the
joshspicer/features-oci-auth-support
branch
from
December 29, 2022 23:34
aadf144
to
09a3a2d
Compare
cc/ @brendandburns |
chrmarti
previously requested changes
Dec 30, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great! Left a few comments.
alexdima
approved these changes
Jan 3, 2023
joshspicer
dismissed
chrmarti’s stale review
January 3, 2023 17:27
Resolved all requested changes, and have approval from VS Code.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ref: #322
Implements the Docker Registry v2 authentication via central service specification to improve compatibility with registry services. While not officially part of the distribution specification, this specification is widely used by various container registries. This change has been tested with Azure Container Registry (acr) and GitHub Container Registry (ghcr).
As outlined in the spec, requests will initially be made to a registry without any authentication. If authentication is required by the server, a
401
response will be set and theWWW-Authenticate
header will be set with information on how to exchange for a bearer token for the given resource, as well as which scopes to request.Registries like GHCR and ACR require this token exchange even for anonymous access (pulling a public artifact).
This PR wraps all pulling and pushing HTTP operations in
requestEnsureAuthenticated(...)
, which will read theWWW-Authenticate
header on401
and attempt to negotiate a token with the server. The last token to be successfully used will be cached and first attempted on subsequent requests.This implementation supports exchanging for a Bearer token (as described in the linked specification from Docker), as well as setting the authentication header with Basic auth credentials (as expected by the
registry/registry
reference implementationAdditionally, this PR will now attempt to read the
$HOME/.docker/config.json
file on disk (if one exists) and will share these with the registry server to get a more privileged Bearer token. By following the 'Authenticate using token' steps on the Azure Container Registry Docs, one will be able to both publish and pull from an ACR that requires authentication. The existingDEVCONTAINERS_OCI_AUTH
environment variable is still supported, and is preferred over reading the home folder config.json. ForGHCR
, the environment'sGITHUB_TOKEN
is always preferred.A test has been added to validate that anonymously pulling a Feature from ACR works end to end. That Feature was pushed to ACR via the changes in this PR.