buildx can't push to artifactory or other repos that don't have /oauth/token as their token endpoint

[scr-oath]

trafficstars

When pushing final image using docker buildx build to an enterprise artifactory docker registry, auth seems to fail

I suspect that the request is looking directly for /oauth/token endpoint, regardless of the WWW-Authenticate response.

$ curl -v https://${DOCKER_REGISTRY}/v2/scr/tst-multi-platform/tags/list |& grep WWW
< WWW-Authenticate: Bearer realm="https://${DOCKER_REGISTRY}/artifactory/api/docker/registry/v2/token",service="${DOCKER_REGISTRY}:4443",scope="repository:scr/tst-multi-platform:pull"

• See also https://github.com/IBM/portieris/issues/51

[tonistiigi]

We should use WWW-Authenticate properly and no hardcoded endpoint addresses https://github.com/moby/buildkit/blob/a6a114a1a476c99c2501aa34811159b849df4005/vendor/github.com/containerd/containerd/remotes/docker/auth/fetch.go#L118 . Maybe someone from Artifactory can look at it. The auth code mostly comes from containerd repository.

[scr-oath]

Hmm… well that's strange… I'll try to do some more debugging when I get a chance and wireshark if possible to see what's being sent returned… unless you have some recommendations for enabling/collecting debugging logs