It is not possible to push a blob with ContainerD when Bearer Token authentication is used.
Pushing a chart with helm (https://helm.sh/docs/faq/#pushing-charts-to-oci-registries).
Error: no scope specified for token auth challenge
ContainerD does the following (https://github.com/containerd/containerd/blob/master/remotes/docker/resolver.go#L553):
- try to push without any authorization
- If the response has a status of 401, look at the WWW-AUTHENTICATE to reconfigure itself
- The header has to specify a scope for the token, so that ContainerD can request it correctly (https://github.com/containerd/containerd/blob/master/remotes/docker/auth/parse.go#L98)
ContainerD follows the spec: https://docs.docker.com/registry/spec/auth/scope/#resource-provider-use last paragraph
NXRM should provide the required scope in the response header