Terry Howe
Terry Howe
Last push was just a rebase and fixed conflicts
This PR and following are NOT dependent on this: * https://github.com/oras-project/oras-go/pull/1045 * https://github.com/oras-project/oras-go/pull/1042 * https://github.com/oras-project/oras-go/pull/1038 * https://github.com/oras-project/oras-go/pull/1013
Related https://github.com/helm/helm/issues/30970
From a user perspective, it makes a lot more sense to have a `ForceBasicAuth` for bearer auth rather than a variable to actually use bearer auth for bearer auth.
I think there are two options here, we could do as you suggest and create something like `PreferOAuth2` (although I don't love that name) or cut a major release for...
The reason I'm kind of in favor or new major release is it just isn't right to favor basic auth when the registry requests bearer.
The two documents you linked https://distribution.github.io/distribution/spec/auth/token/ and https://distribution.github.io/distribution/spec/auth/oauth/ never suggest doing basic auth with the registry says it supports bearer auth. In fact they recommend bearer auth.
I like the name `ForceBasicAuth` that be default would be set to `true` if that is possible
Created https://github.com/oras-project/oras-go/issues/1007 to remove depercated ForceAttemptOAuth2 in oras-go v3.
> Since we are now in `v3` development, should we just remove `ForceAttemptOAuth2`? This pull request does remove `ForceAttemptOAuth2` I don't think that will have a big impact on users.