Client request only authorized for same repository: unauthorized when changing repo name about oras-py HOT 9 OPEN

Ok, more info. It seems that after the first succesfull request, the headers changed from Basic to Bearer:

For the second request to quefacemos2 repository, the authHeaderRaw shows info about the Bearer:

• the scope is assigned to the previous repo (quefacemos (in this case cct, does not matter).
• complains about insufficient scope

UPDATE:

• I checked other calls like getting the tags and then use

client.get_tags(whatever-samerepo)
client.remote.get_manifest(whatever-samerepo)

It fails also if you dont authenticate between again. So the behaviour is not because of changing the repository scope only, any time you do a new call.

from oras-py.

Which registry is this? The challenge here is that there isn't a standard auth flow, and it's been tweaked over the years to fit niche registry cases.

from oras-py.

from oras-py.

So azure just wants to keep the basic auth, or is it just missing the scope?

from oras-py.

Not quite sure, but seems that it does not want neither basic auth.
If I'm not wrong, this the flow:

• client.login(user, acces_token)
  this access token looks like this (omitted info)

{
  "iss": "Azure Container Registry",
  "aud": "rcsdockerregistry.azurecr.io",
  "version": "1.0",
  "grant_type": "refresh_token",
  "permissions": {
    "actions": [
      "read",
      "write",
      "delete",
      "deleted/read",
      "deleted/restore/action"
    ]
  },

• the header initially is Basic Auth, but this basic request fails. After it gets the first 401, it goes through authenticate_request method, ends getting 200 response in line and updates the header from Basic Auth to Bearer.

• After the headers update, the request is succesfully authorized & response is processed.

This only works for the first request, as I mentioned. Any second request has an slighly different flow:

• The header is already a Bearer Token.
• However, the do_request() and authenticate_request brings 401.

from oras-py.

Sounds like we need to keep the basic auth then and this registry does not have support for Bearer? Would that fix the issue?

from oras-py.

I don't think that the registry is not supporting the Bearer. It does, but only seems to be valid for the each single request, so that's why I need to login each time. It's like the refreshing or handling of the next request does not take care properly of the Bearer header; the header transformation & update is only working if the Basic Auth is the original header.

Respecting the basic_auth could be an option to avoid login repeatedly because it looks like having it enforces the correct automatic refresh for the client/registry (transforming from Basic Auth to Bearer).

• If I set & call the _set_basic_auth function, which is what also the login method does internally, this works.

oras_client.login(hostname=self.server, username=OCI_USER, password=out_token["accessToken"])
oras_client.get_tags(whatever) 
oras_client.set_basic_auth(OCI_USER, self.auth_token)
oras_client.get_tags(whatever_repo2) 

I don't know if persisting or respecting the _basic_auth member variable for the Registry class could have side effects for others to be honest:

https://github.com/oras-project/oras-py/blob/cb575abaa0f45ef9f474f0971f579c12ef643170/oras/provider.py#L75C14-L75C26

from oras-py.

What we probably need is to separate the auth flow into modules - so you can select a module that has a particular behavior. I'd be open to a PR for that - I won't have time myself imminently soon.

from oras-py.

Hi @borjamunozf - I started #134 as an effort to refactor auth into modules. I stripped down the default (the token flow) so I'm interested in feedback about if that works for you now, and if not, what the issue is, and then if there were a "basic auth only" flow (which I added a skeleton for) what you'd like that to look like. This is a fairly big change so it might not go in quickly (we need feedback from folks that use other registries) but I wanted to get us started.

from oras-py.