Comments (16)
Not good at all. This attempt to improve security will end up with lots of people using solutions that have worst security properties, like the service json key, or even worst. I can't think on an alternative that has acceptable usability and good security properties. Even if I want to write custom code to generate and refresh json keys, there is till the problem of the root of trust for the rotation. This whole thing is counter-productive and punishes people who adopted gcr/gar.
from docker-credential-gcr.
Yes we are working on this. To have the oauth flow trusted we have to go through a security review, and we're working through that right now.
from docker-credential-gcr.
That's good, thanks!
Do you have a possible timescale for this? Days? Weeks? Months?
Thanks!
from docker-credential-gcr.
It seems like this only affects docker-credential-gcr gcr-login
invocations that set -no-browser
?
And there's no other alternative for desktop applications (if I'm reading this right) besides using the browser flow.
Would you suggest we just drop this flag? Or is there something else we could do here?
from docker-credential-gcr.
We're going through the process of getting this oauth client as onboarded as 'official' on the google side. Does gcr-login not work at all now?
from docker-credential-gcr.
(Internal only) screenshot of the challenge screen:
https://screenshot.googleplex.com/38kwQYgeKABsACx
from docker-credential-gcr.
Any update on this? Will it be fixed? Or does anybody have an alternative approach how to get this functionality?
from docker-credential-gcr.
We are working on getting the OAuth flow approved. Can you please provide exactly what commands you are running that have changed? We want to make sure we understand all the client interactions that we need to check.
from docker-credential-gcr.
We are using docker-credential-gcr configure-docker
and docker-credential-gcr gcr-login
to authenticate developers with their personal accounts on our iot edge devices. This is part of our development and support workflow.
from docker-credential-gcr.
Just to make sure we're aligned - currently docker-credential-gcr configure-docker
works as it used to, and docker-credential-gcr gcr-login
also works in my testing.
But docker-credential-gcr gcr-login -no-browser
is broken.
If this isn't the same as you're seeing, please let us know.
from docker-credential-gcr.
Yes, docker-credential-gcr configure-docker
works as it used to.
docker-credential-gcr gcr-login
does not work any more with and without -no-browser
option.
from docker-credential-gcr.
docker-credential-gcr gcr-login
doesn't any more work if it is unable to launch the browser. In this case it works the same as -no-browser.
We are working on fixing the oauth flow.
There are some potential workarounds, they involve using gcloud to do authentication. I know that's not an option for every situation.
If gcloud is installed, docker-credential-gcr will fall back to using gcloud for authentication if you don't do gcr-login.
Alternatively you can use gcloud directly for docker authentication - see 'gcloud auth configure-docker'
from docker-credential-gcr.
Would some variant of this work perhaps?
from docker-credential-gcr.
Would some variant of this work perhaps?
I did a quick test of it and ran into the same problem...
from docker-credential-gcr.
Is anyone actively working on this issue?
from docker-credential-gcr.
Hi, after reviewing this some more and based on discussions with the security reviewers, it turns out I didn't completely understand the change. The OOB flow that uses the copy/paste mechanism is being deprecated for all clients regardless of whether they are 1st or 3rd party apps:
https://developers.google.com/identity/protocols/oauth2/resources/oob-migration
The only thing we can fix is that the browser-based oauth flow will stop showing a warning when you go through that process. We unfortunately don't have any alternative for this library for browserless login.
The first alternative I can see is to use gcloud. While the oob flow is also being removed from gcloud, it does support a --no-browser flag which allows login provided you can run a command on another machine that has both gcloud and a browser.
https://cloud.google.com/sdk/docs/authorizing#run_gcloud_auth_login
Alternatively, you can log in as a service account with gcloud using a json key.
Once you are logged in with gcloud then docker-credential-gcr will fallback to gcloud to get an auth token.
Apologies for the ambiguity, I know it's frustrating when auth flows stop working. We're beholden to the oauth team on this.
from docker-credential-gcr.
Related Issues (20)
- Fix auth test issue
- Handle reauth / invalid_rapt errors more gracefully
- Release versions messed up?
- Non $PATH setup HOT 2
- "Could not retrieve GCR's access token" when using Workload Identity
- Unable to install a pinned version using `go install` HOT 9
- Seems that Artifact Registry username has changed HOT 3
- Adding an option to extend the life of the token HOT 1
- Output contains invalid Username for AR when installed using normal `go install` HOT 1
- Unable to use binary built from source HOT 1
- Missing version number when running `docker-credential-gcr version`
- Check for either podman or docker in $PATH HOT 2
- Update docker-credential-gcr version in the google cloud sdk install tarball HOT 1
- Use ldflags to set version
- All v2.0.4 binaries have unexpected SHA256 checksums HOT 5
- Crash when used by Kaniko in Google Cloud Build HOT 2
- Wrong version using component install of Cloud sdk HOT 2
- No release artifacts for v2.0.5? HOT 3
- Does this support Identity Federation from external accounts? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-credential-gcr.