docker_auth icon indicating copy to clipboard operation
docker_auth copied to clipboard

Published 20 hours ago verified publisher icon cesanta

One authorization request per each Docker command

Open ThilinaManamgoda opened this issue 7 years ago • 3 comments

I have noticed that per each Docker command, the Docker auth service gets hit for authorization. But as far as I understand this token based and authentication server should get hit when the access token is expired. I have increased the access token expiration but still, the problem occurs.

ThilinaManamgoda avatar Feb 19 '18 05:02 ThilinaManamgoda

I also noticed this while evaluating docker_auth for a production use-case. Clearly the expiration works to some extent—a typical Docker operation involves numerous HTTP requests for which the registry would need to authenticate the token each time, and this seems to work fine—but just not between subsequent operations.

It could be something to do with my configuration I suppose. Something that causes either the CLI to not send the token on the initial request or that causes the registry to reject calls to '/v2' making the CLI think it needs to re-auth.

@rojer any ideas?

patricklucas avatar Mar 17 '18 15:03 patricklucas

@patricklucas are you saying that auth is checked just once for the initial docker command, but not for subsequent http requests (as part of the same command)?

ghostsquad avatar Mar 29 '18 21:03 ghostsquad

Actually, I was claiming the opposite: my client appeared to be getting 401s from the registry and then re-requesting a new token on every HTTP request, not just every command. (i.e. the initial GET to /v2/ as well as requests for manifests and blobs)

However, I just re-ran my test to collect some logs, but now it's happening how I expect: the GET to /v2/ returns a 401, my client gets a token for repository:<repo>:pull, and it uses it successfully on all subsequent calls. My working theory is that there was a problem with my Docker for Mac setup.

That said, @ThilinaManamgoda's original issue still stands: if you re run the same docker command immediately after, it doesn't use the token it got the first time (even though it's still valid) but instead requests a new token with identical scope. I think this must just be a behavior of the docker CLI tool and not docker_auth—the CLI must simply not be persisting tokens for re-use between calls, opting to keep them only in memory for use with multiple requests with the same scope in the same overall command.

patricklucas avatar Mar 30 '18 10:03 patricklucas