-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client request only authorized for same repository: unauthorized when changing repo name #133
Comments
Ok, more info. It seems that after the first succesfull request, the headers changed from Basic to Bearer: Line 998 in cb575ab
For the second request to quefacemos2 repository, the authHeaderRaw shows info about the Bearer:
UPDATE:
client.get_tags(whatever-samerepo)
client.remote.get_manifest(whatever-samerepo) It fails also if you dont authenticate between again. So the behaviour is not because of changing the repository scope only, any time you do a new call. |
Which registry is this? The challenge here is that there isn't a standard auth flow, and it's been tweaked over the years to fit niche registry cases. |
Azure OCI Registry
El vie, 3 may 2024 a las 20:25, Vanessasaurus ***@***.***>)
escribió:
… Which registry is this? The challenge here is that there isn't a standard
auth flow, and it's been tweaked over the years to fit niche registry cases.
—
Reply to this email directly, view it on GitHub
<#133 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGFV5D3ZXOH22WQ7UD54FNLZAPJADAVCNFSM6AAAAABHFVWOGOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJTGU2DAOJTGM>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
So azure just wants to keep the basic auth, or is it just missing the scope? |
Not quite sure, but seems that it does not want neither basic auth.
{
"iss": "Azure Container Registry",
"aud": "rcsdockerregistry.azurecr.io",
"version": "1.0",
"grant_type": "refresh_token",
"permissions": {
"actions": [
"read",
"write",
"delete",
"deleted/read",
"deleted/restore/action"
]
},
Lines 1050 to 1060 in cb575ab
This only works for the first request, as I mentioned. Any second request has an slighly different flow:
|
Sounds like we need to keep the basic auth then and this registry does not have support for Bearer? Would that fix the issue? |
I don't think that the registry is not supporting the Bearer. It does, but only seems to be valid for the each single request, so that's why I need to login each time. It's like the refreshing or handling of the next request does not take care properly of the Bearer header; the header transformation & update is only working if the Basic Auth is the original header. Respecting the basic_auth could be an option to avoid login repeatedly because it looks like having it enforces the correct automatic refresh for the client/registry (transforming from Basic Auth to Bearer). Line 226 in cb575ab
oras_client.login(hostname=self.server, username=OCI_USER, password=out_token["accessToken"])
oras_client.get_tags(whatever)
oras_client.set_basic_auth(OCI_USER, self.auth_token)
oras_client.get_tags(whatever_repo2) I don't know if persisting or respecting the _basic_auth member variable for the Registry class could have side effects for others to be honest: |
What we probably need is to separate the auth flow into modules - so you can select a module that has a particular behavior. I'd be open to a PR for that - I won't have time myself imminently soon. |
Hi @borjamunozf - I started #134 as an effort to refactor auth into modules. I stripped down the default (the token flow) so I'm interested in feedback about if that works for you now, and if not, what the issue is, and then if there were a "basic auth only" flow (which I added a skeleton for) what you'd like that to look like. This is a fairly big change so it might not go in quickly (we need feedback from folks that use other registries) but I wanted to get us started. |
Hello.
We have started using the oras sdk but we got an strange behaviour. This is the following scenario:
Scenario
pseudocode
Actual behaviour
fail
ok
Expected behaviour
Is this expected? Why the authentication seems to disappear or stop to being valid after changing the repository?
The text was updated successfully, but these errors were encountered: