Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AuthHandshakeMessageHandler: also try Basic auth when username is '<token>'. #43354

Closed
wants to merge 1 commit into from

Conversation

tmds
Copy link
Member

@tmds tmds commented Sep 11, 2024

OpenShift's image registry expects the '<token>' username to be handled using the Basic auth scheme.

Fixes #43319.

@baronfel ptal.

…oken>'.

OpenShift's image registry expects the '<token>' username to be handled
using the Basic auth scheme.
@dotnet-issue-labeler dotnet-issue-labeler bot added Area-Infrastructure untriaged Request triage from a team member labels Sep 11, 2024
@baronfel
Copy link
Member

I want to know more about how/why Docker/Podman work with OpenShift. From my reading of the Basic auth handler in regclient the Basic auth only uses username/password credentials, never Token-based credentials. The Token-based credentials are only used with Bearer auth.

Digging way down into how Docker does auth, I see everything relies on what's parsed from the WWW-authenticate header from the registry - can you see what's in the WWW-authenticate header when you ping your OpenShift registry?

@tmds
Copy link
Member Author

tmds commented Sep 11, 2024

@baronfel I tried to keep this PR focused on something backportable to .NET 9 so we can have working auth against the OpenShift registry.

I'm also interested in understanding better how docker/podman work so we can align on their behavior. I assume that may mean a bigger (and riskier) change.

I want to know more about how/why Docker/Podman work with OpenShift. From my reading of the Basic auth handler in regclient the Basic auth only uses username/password credentials, never Token-based credentials. The Token-based credentials are only used with Bearer auth.

Not sure if this matters, the auth is stored as:

{
	"auths": {
		"default-route-openshift-image-registry.apps.sandbox-m3.1530.p1.openshiftapps.com": {
			"auth": "..."
		}
	}
}

And ... here is base64(username:password), and in this case username is the literal <token>.

can you see what's in the WWW-authenticate header when you ping your OpenShift registry?

It is:

www-authenticate: Bearer realm="https://default-route-openshift-image-registry.apps.sandbox-m3.1530.p1.openshiftapps.com/openshift/token"

The full response is:

< HTTP/1.1 401 
< content-type: application/json
< docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://default-route-openshift-image-registry.apps.sandbox-m3.1530.p1.openshiftapps.com/openshift/token"
< x-registry-supports-signatures: 1
< content-length: 87
< date: Wed, 11 Sep 2024 17:14:00 GMT
< set-cookie: 34727b82525eb26a530629c5bf0ec2f2=0e38c0640afce7f2163862707f60209e; path=/; HttpOnly; Secure; SameSite=None
< 
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

@baronfel
Copy link
Member

baronfel commented Sep 11, 2024

That WWW-Authenticate is literally asking us to use the Bearer scheme though. I'm very confused by this.

@tmds
Copy link
Member Author

tmds commented Sep 11, 2024

That WWW-Authenticate is literally asking us to use the Bearer scheme though. I'm very confused by this.

Me too. I'm going to try and figure out what podman does exactly.

@tmds
Copy link
Member Author

tmds commented Sep 12, 2024

I'm going to try and figure out what podman does exactly.

Here it is:

When the server responds with WWW-Authenticate: Bearer, the client is here: https://github.com/containers/image/blob/31d4ad14fe4da8ef3969ff67297831ab291c76f1/docker/docker_client.go#L744-L748

And in the getBearerToken branch, it responds with Authorization: Basic: https://github.com/containers/image/blob/31d4ad14fe4da8ef3969ff67297831ab291c76f1/docker/docker_client.go#L842.

I tried both podman and docker with the config mentioned in #43354 (comment) and both are responding with Basic.

Currently the PR adds the Basic auth as a fall back on the existing logic.
I assume this is desired for requesting a .NET 9 backport.

To align further with podman/docker we need to update the existing auth code (and try additional cases).

@tmds
Copy link
Member Author

tmds commented Sep 13, 2024

To align further with podman/docker we need to update the existing auth code (and try additional cases).

I'll take a closer look at this and make a separate PR so we know what those changes would be. I hope to find some time for it next week or the week after.

@tmds
Copy link
Member Author

tmds commented Sep 17, 2024

I'll take a closer look at this and make a separate PR so we know what those changes would be.

WIP: #43491

@baronfel baronfel added the Area-Containers Related to dotnet SDK containers functionality label Sep 18, 2024
@tmds
Copy link
Member Author

tmds commented Sep 23, 2024

Closing in favor of #43491.

@tmds tmds closed this Sep 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area-Containers Related to dotnet SDK containers functionality Area-Infrastructure untriaged Request triage from a team member
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unable to authenticate against the OpenShift internal registry using a token.
2 participants