Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-9838

Invalid scope specification for Docker hub authentication


    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Done
    • Affects Version/s: 3.0.0-m7, 3.0.0
    • Fix Version/s: 3.0.0
    • Component/s: Docker, Documentation
    • Labels:
    • Story Points:
    • Sprint:
      Sprint 65 - Föhn



      The Docker proxy recipe for Docker hub may perform a pull using the v1 API for the registry, but not v2. The basis for this following explanation is the Docker Registry v2 authentication via central service and Docker Registry v2 Bearer token specification.

      When attempt to perform a pull from an official library

      $ docker pull centos:5

      The following log entries are produced (with some information not included)

      2016-02-17 19:40:27,269-0700 Fetching: GET https://registry-1.docker.io/v2/centos/manifests/5 HTTP/1.1
      2016-02-17 19:40:28,034-0700 Fetching: GET https://auth.docker.io/token?service=registry.docker.io&scope=repository:centos:pull HTTP/1.1
      2016-02-17 19:40:28,482-0700 Response: HttpResponseProxy{ HTTP/1.1 200 OK [Content-Type: application/json, Date: Thu,18 Feb 2016 02:40:28 GMT, Content-Length: 1358, Strict-Transport-Security: max-age=31536000] ResponseEntityProxy{[Content-Type: application/json,Content-Length: 1358,Chunked: false]}}
      2016-02-17 19:40:28,628-0700 Error: GET /v2/centos/manifests/5: 401 - ... access to the requested resource is not authorized

      When the same sequence is performed manually, the result, obviously, remains the same. When authenticating anonymously the following access is included in the resultant JWT token

          "access": []

      The request that should be made is the following


      Notice the inclusion of the library and the result when the token is requested is

          "access": [
                  "type": "repository",
                  "name": "library/centos",
                  "actions": [

      The request for the manifest should also include library

      GET /v2/library/centos/manifests/5

      The documentation for 3.0 alludes to the library in section 9.10. Pulling Images. However, the examples do not include the library and, when not included, the application, as it should, reverts to v1 and produces the following warning

      $ docker pull private-registry:18444/centos:5
      private-registry:18444/centos: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker.

      Suggested Actions

      In order to avoid confusion

      • the documentation should be updated to explain the need to include the library registry
      • the code should be updated to include library when not specified in the pull request


      In order to avoid falling back to v1 and the warning message, include the library when needed.

      $ docker pull private-registry:18444/library/centos:5


          Issue Links



              dwallace Dulani Wallace
              bkeyser-arrow Brian Keyser
              Last Updated By:
              Peter Lynch Peter Lynch
              1 Vote for this issue
              7 Start watching this issue


                Date of First Response: