Fix connecting to registries with non-hardcoded auth scopes #1478
Comments
mtrmac
changed the title
|
What is going on with this issue? |
dcermak
pushed a commit
to dcermak/image
that referenced
this issue
Aug 25, 2022
By default docker_client just uses the auth challenges from the /v2/ ping request to request a Bearer Token. For some requests (e.g. for /v2/_catalog on some registries) this might not be sufficient and return a a HTTP Unauthorized Error with the "www-authenticate" header including an "insufficient_scope" error. In that case the client will now retry the request and fetch a new token with updated challenges to have the "scope" matching for what the endpoint needs. This fixes containers#1478 Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Dan Čermák <[email protected]>
dcermak
pushed a commit
to dcermak/image
that referenced
this issue
Aug 26, 2022
By default docker_client just uses the auth challenges from the /v2/ ping request to request a Bearer Token. For some requests (e.g. for /v2/_catalog on some registries) this might not be sufficient and return a a HTTP Unauthorized Error with the "www-authenticate" header including an "insufficient_scope" error. In that case the client will now retry the request and fetch a new token with updated challenges to have the "scope" matching for what the endpoint needs. This fixes containers#1478 Co-authored-by: Miloslav Trmač <[email protected]> Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Dan Čermák <[email protected]> Signed-off-by: Miloslav Trmač <[email protected]>
dcermak
pushed a commit
to dcermak/image
that referenced
this issue
Aug 26, 2022
By default docker_client just uses the auth challenges from the /v2/ ping request to request a Bearer Token. For some requests (e.g. for /v2/_catalog on some registries) this might not be sufficient and return a a HTTP Unauthorized Error with the "www-authenticate" header including an "insufficient_scope" error. In that case the client will now retry the request and fetch a new token with updated challenges to have the "scope" matching for what the endpoint needs. This fixes containers#1478 Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Dan Čermák <[email protected]> Signed-off-by: Miloslav Trmač <[email protected]> Co-authored-by: Miloslav Trmač <[email protected]>
dcermak
pushed a commit
to dcermak/image
that referenced
this issue
Aug 26, 2022
By default docker_client just uses the auth challenges from the /v2/ ping request to request a Bearer Token. For some requests (e.g. for /v2/_catalog on some registries) this might not be sufficient and return a a HTTP Unauthorized Error with the "www-authenticate" header including an "insufficient_scope" error. In that case the client will now retry the request and fetch a new token with updated challenges to have the "scope" matching for what the endpoint needs. This fixes containers#1478 Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Dan Čermák <[email protected]> Signed-off-by: Miloslav Trmač <[email protected]> Co-authored-by: Miloslav Trmač <[email protected]> Co-authored-by: Ralf Haferkamp <[email protected]>
dcermak
pushed a commit
to dcermak/image
that referenced
this issue
Aug 29, 2022
By default docker_client just uses the auth challenges from the /v2/ ping request to request a Bearer Token. For some requests (e.g. for /v2/_catalog on some registries) this might not be sufficient and return a a HTTP Unauthorized Error with the "www-authenticate" header including an "insufficient_scope" error. In that case the client will now retry the request and fetch a new token with updated challenges to have the "scope" matching for what the endpoint needs. This fixes containers#1478 Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Dan Čermák <[email protected]> Signed-off-by: Miloslav Trmač <[email protected]> Co-authored-by: Miloslav Trmač <[email protected]> Co-authored-by: Ralf Haferkamp <[email protected]>
dcermak
pushed a commit
to dcermak/image
that referenced
this issue
Aug 30, 2022
By default docker_client just uses the auth challenges from the /v2/ ping request to request a Bearer Token. For some requests (e.g. for /v2/_catalog on some registries) this might not be sufficient and return a a HTTP Unauthorized Error with the "www-authenticate" header including an "insufficient_scope" error. In that case the client will now retry the request and fetch a new token with updated challenges to have the "scope" matching for what the endpoint needs. This fixes containers#1478 Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Ralf Haferkamp <[email protected]> Signed-off-by: Dan Čermák <[email protected]> Signed-off-by: Miloslav Trmač <[email protected]> Co-authored-by: Miloslav Trmač <[email protected]> Co-authored-by: Ralf Haferkamp <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See #1079 for a PR.
The text was updated successfully, but these errors were encountered: