Query parameters in raw bearer of an unauthorized response from the registry are overwritten

[bryanchang15]

When the token authorization is used to authorized a registry, the query parameters in original realm field from an unauthorized response header are overwritten and leads to successive authorization failures.

---

E.g. the Bearer in a 401 response header that are returned by the registry is:

Www-Authenticate: Bearer realm="https://private.docker.io/artifacts-auth/docker/jwt?host=private.docker.io",service="docker"

It means that the authorization service is excepted to receive above host as a query parameter. But in our implementation, it won't get and would return errors.

---

I found that the root cause is the function refreshBasic() in the file pkg/v1/remote/transport/bearer.go, it overwrites (the correct behavior is appending, I think) the original RawQuery that is previously parsed from the realm:

func (bt *bearerTransport) refreshBasic() ([]byte, error) {
        u, err := url.Parse(bt.realm)
	if err != nil {
		return nil, err
	}
        // Now we have original query parameters in u.RawQuery, everything is ok, 
   
        ...

        // but unfortunately we overwrites it here
       u.RawQuery = url.Values{
		"scope":   bt.scopes,
		"service": []string{bt.service},
        }.Encode()

        ...
}

---

Hopefully my post can help to improve this repo.

[jonjohnsonjr]

Thanks for reporting this, I've landed a fix -- let me know if you're still having issues.