oras-project · sbdtu5498 · Jul 31, 2023 · Oct 28, 2023 · Feb 28, 2024 · Feb 28, 2024
@@ -55,6 +55,7 @@
 	Username          string
 	PasswordFromStdin bool
 	Password          string
+	IdentityToken     string
 
 	resolveFlag           []string
 	applyDistributionSpec bool
@@ -87,14 +88,15 @@
 // Commonly used for non-unary remote targets.
 func (opts *Remote) ApplyFlagsWithPrefix(fs *pflag.FlagSet, prefix, description string) {
 	var (
-		shortUser     string
-		shortPassword string
-		shortHeader   string
-		flagPrefix    string
-		notePrefix    string
+		shortUser          string
+		shortPassword      string
+		shortIdentityToken string
+		shortHeader        string
+		flagPrefix         string
+		notePrefix         string
 	)
 	if prefix == "" {
-		shortUser, shortPassword = "u", "p"
+		shortUser, shortPassword, shortIdentityToken = "u", "p", "i"
 		shortHeader = "H"
 	}
 	flagPrefix, notePrefix = applyPrefix(prefix, description)
@@ -104,6 +106,7 @@
 	}
 	fs.StringVarP(&opts.Username, flagPrefix+"username", shortUser, "", notePrefix+"registry username")
 	fs.StringVarP(&opts.Password, flagPrefix+"password", shortPassword, "", notePrefix+"registry password or identity token")
+	fs.StringVarP(&opts.IdentityToken, flagPrefix+"identity-token", shortIdentityToken, "", notePrefix+"identity token for registry")
-	fs.StringVarP(&opts.IdentityToken, flagPrefix+"identity-token", shortIdentityToken, "", notePrefix+"identity token for registry")
+	fs.StringVarP(&opts.IdentityToken, flagPrefix+"identity-token", "", "", notePrefix+"identity token for registry")
-	fs.StringVarP(&opts.IdentityToken, flagPrefix+"identity-token", shortIdentityToken, "", notePrefix+"identity token for registry")
+	fs.StringVarP(&opts.IdentityToken, flagPrefix+"identity-token", "", "", notePrefix+"identity token for registry")
 	fs.BoolVarP(&opts.Insecure, flagPrefix+"insecure", "", false, "allow connections to "+notePrefix+"SSL registry without certs")
 	plainHTTPFlagName := flagPrefix + "plain-http"
 	plainHTTP := fs.Bool(plainHTTPFlagName, false, "allow insecure connections to "+notePrefix+"registry without SSL check")
@@ -124,10 +127,16 @@
 	return opts.readPassword()
 }
 
-// readPassword tries to read password with optional cmd prompt.
+// readPassword tries to read password and identity-token with optional cmd prompt.
-// readPassword tries to read password and identity-token with optional cmd prompt.
+// readPassword tries to read password and identity-token with optional cmd
+// prompt.
-// readPassword tries to read password and identity-token with optional cmd prompt.
+// readPassword tries to read password and identity-token with optional cmd
+// prompt.
 func (opts *Remote) readPassword() (err error) {
+	if opts.Password != "" && opts.IdentityToken != "" {
+		return fmt.Errorf("both --password and --identity-token cannot be used together")
+	}
+
 	if opts.Password != "" {
 		fmt.Fprintln(os.Stderr, "WARNING! Using --password via the CLI is insecure. Use --password-stdin.")
+	} else if opts.IdentityToken != "" {
+		fmt.Fprintln(os.Stderr, "WARNING! Using --identity-token via the CLI is insecure.")
 	} else if opts.PasswordFromStdin {
 		// Prompt for credential
 		password, err := io.ReadAll(os.Stdin)
@@ -267,7 +276,19 @@
 
 // Credential returns a credential based on the remote options.
 func (opts *Remote) Credential() auth.Credential {
-	return credential.Credential(opts.Username, opts.Password)
+	if opts.IdentityToken != "" {
+		// If IdentityToken is provided, use it as the credential without a username
+		return auth.Credential{
+			Username: "",
+			Password: opts.IdentityToken,
+		}
+	} else {
+		// If IdentityToken is not provided, use the username and password as credentials
+		return auth.Credential{
+			Username: opts.Username,
+			Password: opts.Password,
+		}
+	}
 }
 
 func (opts *Remote) handleWarning(registry string, logger logrus.FieldLogger) func(warning remote.Warning) {

@@ -48,6 +48,9 @@
 Example - Log in with username and password from command line flags:
   oras login -u username -p password localhost:5000
 
+Example - Log in with identity token from the command line flags:
+  oras login -i token localhost:5000
+
 Example - Log in with username and password from stdin:
   oras login -u username --password-stdin localhost:5000
 
@@ -79,25 +82,34 @@
 func runLogin(ctx context.Context, opts loginOptions) (err error) {
 	ctx, logger := opts.WithContext(ctx)
 
-	// prompt for credential
-	if opts.Password == "" {
+	// Check if both '--username' and '--identity-token' are provided
+	if opts.Username != "" && opts.IdentityToken != "" {
+		return fmt.Errorf("both --username and --identity-token cannot be used together")
+	}
+
+	// If IdentityToken is provided, use it as the credential without a username
+	if opts.IdentityToken != "" {
+		opts.Username = ""                 // Set the username to empty since it's not required when using identity token
+		opts.Password = opts.IdentityToken // Use the identity token as the password
+	} else if opts.Password == "" {
+		// If both '--password' and '--username' are not provided, prompt for credentials
 		if opts.Username == "" {
-			// prompt for username
+			// Prompt for username
 			username, err := readLine("Username: ", false)
 			if err != nil {
 				return err
 			}
 			opts.Username = strings.TrimSpace(username)
 		}
 		if opts.Username == "" {
-			// prompt for token
+			// Prompt for token
 			if opts.Password, err = readLine("Token: ", true); err != nil {
 				return err
 			} else if opts.Password == "" {
 				return errors.New("token required")
 			}
 		} else {
-			// prompt for password
+			// Prompt for password
 			if opts.Password, err = readLine("Password: ", true); err != nil {
 				return err
 			} else if opts.Password == "" {