Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-26313

WWW-AUTHENTICATE header does not include needed scope of token

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.28.1
    • Fix Version/s: 3.35.0
    • Component/s: Docker
    • Labels:
    • Story Points:
      3
    • Sprint:
      NXRM Groot Sprint 16, NXRM MadMax Sprint 17, NXRM MadMax Sprint 18
    • Notability:
      3

      Description

      Problem:

      It is not possible to push a blob with ContainerD when Bearer Token authentication is used.

      How to reproduce:

      Pushing a chart with helm (https://helm.sh/docs/faq/#pushing-charts-to-oci-registries).
      Error: no scope specified for token auth challenge

      Analysis:

      Helm uses https://github.com/deislabs/oras which uses https://github.com/containerd/containerd to push oci data to a repository.

      ContainerD does the following (https://github.com/containerd/containerd/blob/master/remotes/docker/resolver.go#L553):

      1. try to push without any authorization
      2. If the response has a status of 401, look at the WWW-AUTHENTICATE to reconfigure itself
      3. The header has to specify a scope for the token, so that ContainerD can request it correctly (https://github.com/containerd/containerd/blob/master/remotes/docker/auth/parse.go#L98)

       

      ContainerD follows the spec: https://docs.docker.com/registry/spec/auth/scope/#resource-provider-use last paragraph

      Solution

      NXRM should provide the required scope in the response header

        Attachments

          Activity

            People

            Assignee:
            mpiggott Matthew Piggott
            Reporter:
            danny02 Daniel Heinrich
            Last Updated By:
            Eugene Bulatnikov Eugene Bulatnikov
            Team:
            NXRM - Mad Max
            Votes:
            4 Vote for this issue
            Watchers:
            12 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title