docker-registry-ui icon indicating copy to clipboard operation
docker-registry-ui copied to clipboard
verified publisher icon Joxit

Trying to connect to private registry with custom token auth (not a bug, just looking for help)

Open zenbones opened this issue 8 months ago • 0 comments

I'm running docker-registry-ui with docker compose. Our private registry, running on another server, uses token auth, and we have a custom auth server, and that has been working fine for some time. The docs for token auth with this project suggest...

In this image, we will replace the docker client/daemon by the Docker Registry UI. Here are the steps:

1. Attempt to get a resource (catalog, image info, image delete) with the registry.
2. If the registry requires authorization it will return a `401 Unauthorized` HTTP response with information on how to authenticate.

This is true, all good so far.

3. The docker registry ui makes a request to keycloak for a Bearer token.
  1. Your browser will use the [Basic Access Authentication Protocol](https://en.wikipedia.org/wiki/Basic_access_authentication#Protocol). But keycloak does not support this protocol... That's why we need a nginx proxy on top of keycloak.
  2. Your proxy will receive a request on /auth/realms/{realm name}/protocol/docker-v2/auth without Authentication header. It will return a 401 Unauthorized HTTP response with WWW-Authenticate header.

Not so true. Looking at the dev tools in the web app I see a single request for...

http://<host>/v2/_catalog?n=1000
Request Method:
GET

...that returns a 401, and I get no further requests on any path. With tcpflow I see the request above (3 times actually), and 3 responses...

010.000.002.119.00080-010.000.000.015.62553: HTTP/1.1 401 Unauthorized
Server: nginx/1.27.4
Date: Mon, 14 Apr 2025 22:02:37 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 87
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://<host>/<path>/docker/auth",service="myservice"
X-Content-Type-Options: nosniff
P3P: CP="Contact [email protected] for our policy."

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

But no further requests.

Should the ui be making a request on the... /auth/realms/{realm name}/protocol/docker-v2/auth ...path?

Am I doing something wrong?

zenbones avatar Apr 14 '25 22:04 zenbones