Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feat]: Obtain apikeys via CLI with IdP integration #2540

Open
andesvl-klarrio opened this issue Jul 15, 2024 · 3 comments
Open

[Feat]: Obtain apikeys via CLI with IdP integration #2540

andesvl-klarrio opened this issue Jul 15, 2024 · 3 comments
Labels
feature New feature or request rm-external Roadmap item submitted by non-maintainers

Comments

@andesvl-klarrio
Copy link

Is your feature request related to a problem? Please describe.

We want to integrate Zot with our IdP (Keycloak) via OIDC. Our users should be able to authenticate to the Zot UI through the standard OIDC flow. However, we also want to streamline the process of setting up OCI credentials for our users, allowing them to pull and push without manually installing API keys.

To achieve this, we plan to develop a simple CLI tool that can obtain a token from our IdP using the OIDC device grant flow. Currently, there is no way to authenticate to the Zot API to obtain API keys using these tokens. Because, enabling bearer authentication disables all other authentication methods, which conflicts with the OIDC flow needed for the UI.

Describe the solution you'd like

We need a solution that allows API keys to be created via a Zot endpoint using bearer tokens while maintaining compatibility with other authentication methods.

If there are any suggestions for a proper approach, we are happy to contribute an implementation.
We don't understand why enabling bearer authentication disabled all other authn.

Describe alternatives you've considered

Using only bearer token authentication is problematic for us.

  1. We need a solution for metrics scraping (basic auth works fine for us there).
  2. We want to integrate with our IdP for single-sign-on.
  3. We want to authenticate Kubernetes nodes/containerd (so we need basic auth/mutual tls).

Additional context

We are building a cloud-indepent multitancy platform on top of Kubernetes and want to host our images in Zot. To integrate Zot, we'd like to use multiple authentication methods for various actors.

@andesvl-klarrio andesvl-klarrio added the feature New feature or request label Jul 15, 2024
@eusebiu-constantin-petu-dbk
Copy link
Collaborator

Hello @andesvl-klarrio

Unfortunately we tried in the past to make bearer auth work with other authentication options.

The problem is that tools(like skopeo) do not support multiple authentication challenges:
https://github.com/containers/image/blob/1dbd8fbbe51653e8a304122804431b07a1060d06/docker/wwwauthenticate.go#L86

So tools will take the first challenge and ignore the other sent by zot...

Thank you for trying out zot!

@rchincha rchincha added the rm-external Roadmap item submitted by non-maintainers label Jul 15, 2024
@rchincha
Copy link
Contributor

This is also something the OCI community is looking at: opencontainers/wg-auth#12

@andesvl-klarrio
Copy link
Author

I may be misunderstanding. But aren't apikeys already a solution to get past the 'OCI authn restriction'. So if Zot can create apikeys via its own (non-oci?) authn implementation (at least for that endpoint), the problem that I'm having seems to be solved. I don't think you need to support multiple auth headers on single OCI requests, just the login via apikey as you already do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New feature or request rm-external Roadmap item submitted by non-maintainers
Projects
None yet
Development

No branches or pull requests

3 participants