8000 Unable to authenticate against the OpenShift internal registry using a token. · Issue #43319 · dotnet/sdk · GitHub
[go: up one dir, main page]
Skip to content

Unable to authenticate against the 8000 OpenShift internal registry using a token. #43319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tmds opened this issue Sep 10, 2024 · 5 comments · Fixed by #43491
Closed

Unable to authenticate against the OpenShift internal registry using a token. #43319

tmds opened this issue Sep 10, 2024 · 5 comments · Fixed by #43491
Labels
Area-CLI Area-Containers Related to dotnet SDK containers functionality

Comments

@tmds
Copy link
Member
tmds commented Sep 10, 2024

The .NET SDK can't authenticate against the OpenShift image when the auth.json has an auth that starts with <token>:.

This case is treated special here:

sdk/src/Containers/Microsoft.NET.Build.Containers/AuthHandshakeMessageHandler.cs

Lines 321 to 323 in 3390aa4

var header = privateRepoCreds.Username == "<token>"
? new AuthenticationHeaderValue(BearerAuthScheme, privateRepoCreds.Password)
: new AuthenticationHeaderValue(BasicAuthScheme, Convert.ToBase64String(Encoding.ASCII.GetBytes($"{privateRepoCreds.Username}:{privateRepoCreds.Password}")));

The use of the Bearer scheme is causing the authentication to fail. When I change it to Basic (that is: removing the special case) then the authentication works.

With podman debug logging, there is a single GET call to the realm uri. I assume it immediately goes for the Basic auth.

DEBU[0000] GET https://<registry>/v2/ 
DEBU[0000] Ping https://<registry>/v2/ status 401 
DEBU[0000] GET https://<registry>/openshift/token?account=%3Ctoken%3E&scope=repository%3Atdeseyn-dev%2Fdotnet-runtime%3Apull 
DEBU[0000] Increasing token expiration to: 60 seconds   
DEBU[0000] GET https://<registry>/v2/tdeseyn-dev/dotnet-runtime/manifests/8.0

@baronfel can we make the .NET 9 SDK capable of supporting this scenario by also trying basic auth for <token>? I can work on a PR.

For .NET 10, perhaps we can take a closer look at how docker and podman do the auth and try to mimic their behavior?

cc @omajid
@ghost ghost added Area-CLI untriaged Request triage from a team member labels Sep 10, 2024
@baronfel
Copy link
Member

It is very unlikely we could get anything for .NET 9 - we are locking down in like a week and the containers team has several other things we are driving on. If you could provide pointers to the spec or experiential data about how podman/docker do auth we could maybe change this, but auth is a very scary area to change because it's not under good testing in this repo.

@baronfel baronfel added the Area-Containers Related to dotnet SDK containers functionality label Sep 10, 2024
@tmds
Copy link
Member Author
tmds commented Sep 10, 2024

It is very unlikely we could get anything for .NET 9 - we are locking down in like a week and the containers team has several other things we are driving on.

A .NET 9 patch release would be fine too. And the change would be adding a fallback, so that would minimize the risk of introducing a regression in the existing auth mechanisms.

@tmds
Copy link
Member Author
tmds commented Sep 10, 2024

I'm going to make a PR against main and then you can assess the back-portability.

It would be nice if we don't have to wait for a .NET 10 SDK to have this fixed.

Do you recall for what registry the handling of <token> was added to TryTokenGetAsync?

@baronfel
Copy link
Member

It's required for handling identity tokens when doing registry auth. You can see it in use at regclient. See docs at docekr cli and similar usage in the docker CLI.

@tmds tmds mentioned this issue Sep 11, 2024
Closed
@tmds tmds mentioned this issue Sep 19, 2024
Merged
@tmds
Copy link
Member Author
tmds commented May 16, 2025

Fixed by #43491.

@tmds tmds closed this as completed May 16, 2025
@dotnet-policy-service dotnet-policy-service bot removed the untriaged Request triage from a team member label May 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-CLI Area-Containers Related to dotnet SDK containers functionality
Projects
None yet
Milestone
No milestone
2 participants
@baronfel @tmds
0