Comments (9)
Ok, more info. It seems that after the first succesfull request, the headers changed from Basic to Bearer:
Line 998 in cb575ab
For the second request to quefacemos2 repository, the authHeaderRaw shows info about the Bearer:
- the scope is assigned to the previous repo (quefacemos (in this case cct, does not matter).
- complains about insufficient scope
UPDATE:
- I checked other calls like getting the tags and then use
client.get_tags(whatever-samerepo)
client.remote.get_manifest(whatever-samerepo)
It fails also if you dont authenticate between again. So the behaviour is not because of changing the repository scope only, any time you do a new call.
from oras-py.
Which registry is this? The challenge here is that there isn't a standard auth flow, and it's been tweaked over the years to fit niche registry cases.
from oras-py.
from oras-py.
So azure just wants to keep the basic auth, or is it just missing the scope?
from oras-py.
Not quite sure, but seems that it does not want neither basic auth.
If I'm not wrong, this the flow:
- client.login(user, acces_token)
this access token looks like this (omitted info)
{
"iss": "Azure Container Registry",
"aud": "rcsdockerregistry.azurecr.io",
"version": "1.0",
"grant_type": "refresh_token",
"permissions": {
"actions": [
"read",
"write",
"delete",
"deleted/read",
"deleted/restore/action"
]
},
- the header initially is Basic Auth, but this basic request fails. After it gets the first 401, it goes through authenticate_request method, ends getting 200 response in line and updates the header from Basic Auth to Bearer.
Lines 1050 to 1060 in cb575ab
- After the headers update, the request is succesfully authorized & response is processed.
This only works for the first request, as I mentioned. Any second request has an slighly different flow:
- The header is already a Bearer Token.
- However, the do_request() and authenticate_request brings 401.
from oras-py.
Sounds like we need to keep the basic auth then and this registry does not have support for Bearer? Would that fix the issue?
from oras-py.
I don't think that the registry is not supporting the Bearer. It does, but only seems to be valid for the each single request, so that's why I need to login each time. It's like the refreshing or handling of the next request does not take care properly of the Bearer header; the header transformation & update is only working if the Basic Auth is the original header.
Respecting the basic_auth could be an option to avoid login repeatedly because it looks like having it enforces the correct automatic refresh for the client/registry (transforming from Basic Auth to Bearer).
Line 226 in cb575ab
- If I set & call the _set_basic_auth function, which is what also the login method does internally, this works.
oras_client.login(hostname=self.server, username=OCI_USER, password=out_token["accessToken"])
oras_client.get_tags(whatever)
oras_client.set_basic_auth(OCI_USER, self.auth_token)
oras_client.get_tags(whatever_repo2)
I don't know if persisting or respecting the _basic_auth member variable for the Registry class could have side effects for others to be honest:
from oras-py.
What we probably need is to separate the auth flow into modules - so you can select a module that has a particular behavior. I'd be open to a PR for that - I won't have time myself imminently soon.
from oras-py.
Hi @borjamunozf - I started #134 as an effort to refactor auth into modules. I stripped down the default (the token flow) so I'm interested in feedback about if that works for you now, and if not, what the issue is, and then if there were a "basic auth only" flow (which I added a skeleton for) what you'd like that to look like. This is a fairly big change so it might not go in quickly (we need feedback from folks that use other registries) but I wanted to get us started.
from oras-py.
Related Issues (20)
- Directory mismatch on pull HOT 6
- Authenticate Request Error For Nexus Registry HOT 1
- Image Index support HOT 3
- Error due to default value of manifest_config HOT 1
- Create issue template for oras-py HOT 1
- Missing verify argument in providers.py HOT 10
- Disable tgz extraction on pull HOT 3
- [Feature Request] Add "copy" functionality HOT 1
- Schema Validation Error on Pull from artefact push with Oras 1.1.0 HOT 4
- Support for `config.json` credHelpers HOT 5
- Add `get_digest(container)` method on provider.Registry HOT 1
- Return the manifest digest in `Registry.push()` HOT 8
- Testing registries for release 0.2.0 HOT 10
- Enforce branch policies on the repository HOT 3
- Can we push blob files from a different uri in cloud HOT 1
- Login on failure with Nexus with basic auth HOT 2
- OrasClient.push fails on Windows as empty Manifest Config uses /dev/null which is Linux specific HOT 2
- Push fails on Windows if filepath has drive in it HOT 1
- [Feature] Skip tls verifikation HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oras-py.