Skip to content

Support IdentityToken in registry authn #829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 13, 2020
Merged

Support IdentityToken in registry authn #829

merged 1 commit into from
Mar 13, 2020
+293 −138

Conversation

@yihuaf
Copy link

@yihuaf yihuaf commented Feb 21, 2020
edited
Loading

Adding the support for using identitytoken in the .docker/config.json
files. It's part of oauth2 and Azure Container Registry is one of the case that uses this.

Since containers/image implemented it's own docker registry client, we want to make it working with oauth2. The identitytoken can be used to get an access/bear token in place of password. Instead of setting basicAuth in the request, we follow the oauth2 definition to send a post request with grant_type.

Reference:

  1. Docker registry oauth2 documentation: https://docs.docker.com/registry/spec/auth/oauth/
  2. Azure Container Registry oauth2 documentation: https://github.com/Azure/acr/blob/7eddc1c5866ce5cc80e95df37d9d119e70d8c15e/docs/AAD-OAuth.md

Test: Tested with podman and logging into azure container registry, which uses identitytoken.

Concern: This patch changed the config.GetAuthentication interface, which is used by podman directly. Not sure if this is intended behaviour for podman to access GetAuthentication directly.

close #748
This is the base to fix these: containers/skopeo#533 and containers/podman#4357.

Signed-off-by: yihuaf [email protected]

@yihuaf yihuaf force-pushed the dev/yihuaf/authfile branch from f435102 to 513fe8c Compare February 21, 2020 23:45
@yihuaf yihuaf changed the title Support IdentityToken in registry authn [WIP] Support IdentityToken in registry authn Feb 22, 2020
@yihuaf yihuaf force-pushed the dev/yihuaf/authfile branch 7 times, most recently from 357c295 to 78f0400 Compare February 22, 2020 06:09
mtrmac
mtrmac reviewed Feb 22, 2020
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Just a quick first look.

@mtrmac
Copy link
Collaborator

mtrmac commented Feb 22, 2020

Concern: This patch changed the config.GetAuthentication interface, which is used by podman directly. Not sure if this is intended behaviour for podman to access GetAuthentication directly.

It is a public API, and most of the config subpackage exists for podman {login, logout}, so ti is intended in that sense. This PR should keep that code, unmodified, working for user name+password autentication. Podman might well want to add extra support for the identity token, and in that case it can migrate to a new API.

@yihuaf
Copy link
Author

yihuaf commented Feb 22, 2020

Concern: This patch changed the config.GetAuthentication interface, which is used by podman directly. Not sure if this is intended behaviour for podman to access GetAuthentication directly.

It is a public API, and most of the config subpackage exists for podman {login, logout}, so ti is intended in that sense. This PR should keep that code, unmodified, working for user name+password autentication. Podman might well want to add extra support for the identity token, and in that case it can migrate to a new API.

I can keep the "GetAuthentication" interface intact, and create a new interface for the bearer token code path. "GetAuthentication" can internally call the new function and only expose username and password. Any preference on the name of the new API? "GetAuthenticationDocker" or "GetAuthenticationOauth2"?

@yihuaf yihuaf force-pushed the dev/yihuaf/authfile branch from 78f0400 to 4e92f3a Compare February 24, 2020 19:55
@yihuaf yihuaf changed the title [WIP] Support IdentityToken in registry authn Support IdentityToken in registry authn Feb 24, 2020
@yihuaf yihuaf requested a review from mtrmac February 24, 2020 19:58
@yihuaf yihuaf force-pushed the dev/yihuaf/authfile branch from 4e92f3a to 02cce69 Compare February 26, 2020 19:02
@yihuaf
Copy link
Author

yihuaf commented Feb 26, 2020

@mtrmac PTAL at the latest change. Addressed your comments.

@rhatdan
Copy link
Member

rhatdan commented Mar 3, 2020

@vrothberg PTAL

vrothberg
vrothberg reviewed Mar 4, 2020
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but I want @mtrmac to have another look.

I guess we need to support that in the kernel keyring once we enable support for it.

@yihuaf yihuaf force-pushed the dev/yihuaf/authfile branch 2 times, most recently from 3c6aa72 to 617ad75 Compare March 7, 2020 00:28
@yihuaf
Copy link
Author

yihuaf commented Mar 7, 2020

Force push to rebase to latest master.

@mtrmac
Copy link
Collaborator

mtrmac commented Mar 7, 2020

I can keep the "GetAuthentication" interface intact, and create a new interface for the bearer token code path. "GetAuthentication" can internally call the new function and only expose username and password. Any preference on the name of the new API? "GetAuthenticationDocker" or "GetAuthenticationOauth2"?

(I know, bikeshedding…) GetAuthenticationStruct? It is not only for OAuth2. Or, maybe, I never really liked the “authentication” noun here - GetCredentials?

mtrmac
mtrmac reviewed Mar 7, 2020
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, and I apologize for the delay.

This is a full review now. Highlights:

  • The GetAuthenticationOAuth2 naming
  • Behavior of GetAuthentication with OAuth2 configuration
  • The account removal on GET token requests.

@mtrmac mtrmac mentioned this pull request Mar 7, 2020
Closed
@yihuaf yihuaf force-pushed the dev/yihuaf/authfile branch from 617ad75 to 3fa066e Compare March 9, 2020 20:58
@yihuaf
Copy link
Author

yihuaf commented Mar 9, 2020
edited
Loading

Addressed the review. Created a separate commit so it's easier to track the change. I can squash the commits together if needed. @mtrmac

@yihuaf yihuaf requested a review from mtrmac March 9, 2020 21:58
@yihuaf yihuaf force-pushed the dev/yihuaf/authfile branch from 3fa066e to be0e42f Compare March 10, 2020 23:01
@yihuaf
Copy link
Author

yihuaf commented Mar 10, 2020

Force push to rebase master.

@yihuaf yihuaf requested a review from vrothberg March 11, 2020 18:05
@vrothberg
Copy link
Member

vrothberg commented Mar 11, 2020

I will do another review tomorrow (unless it's merged before :-)). But before merging, @yihuaf could you squash the commits into one?

@yihuaf
Copy link
Author

yihuaf commented Mar 11, 2020

I will do another review tomorrow (unless it's merged before :-)). But before merging, @yihuaf could you squash the commits into one?

I can certainly do that :)

@yihuaf yihuaf force-pushed the dev/yihuaf/authfile branch from be0e42f to 8dfc0a0 Compare March 11, 2020 18:26
mtrmac
mtrmac reviewed Mar 12, 2020
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update!

vrothberg
vrothberg reviewed Mar 12, 2020
View reviewed changes
@yihuaf yihuaf force-pushed the dev/yihuaf/authfile branch 3 times, most recently from 7f0b781 to a77e2c2 Compare March 13, 2020 23:03
mtrmac
mtrmac reviewed Mar 13, 2020
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One last nit.

Support IdentityToken in registry authn
31d443d 
Adding the support for using identitytoken in the .docker/config.json
files. Azure Container Registry is one of the case that uses this.

Signed-off-by: yihuaf <[email protected]>
@yihuaf yihuaf force-pushed the dev/yihuaf/authfile branch from a77e2c2 to 31d443d Compare March 13, 2020 23:08
@yihuaf
Copy link
Author

yihuaf commented Mar 13, 2020

One last nit.

done.

@yihuaf yihuaf requested review from mtrmac and vrothberg March 13, 2020 23:09
mtrmac
mtrmac approved these changes Mar 13, 2020
View reviewed changes
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@mtrmac mtrmac merged commit bf94267 into containers:master Mar 13, 2020
@yihuaf yihuaf deleted the dev/yihuaf/authfile branch March 14, 2020 01:03
@yihuaf yihuaf mentioned this pull request Mar 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtrmac mtrmac mtrmac approved these changes

@vrothberg vrothberg Awaiting requested review from vrothberg

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support oauth2 authentication mechanism

4 participants

@yihuaf @mtrmac @rhatdan @vrothberg