overlaybd icon indicating copy to clipboard operation
overlaybd copied to clipboard

Published 20 hours ago verified publisher icon containerd

Issue authenticating with ACR

Open juliusl opened this issue 3 years ago • 1 comments

Hello, I was having issues authenticating with ACR. I looked at the code and noticed it uses the basic auth flow w/ GET request. For ACR, we use the POST refresh token method -- Is there a way to use alternative auth modes?

https://github.com/containerd/overlaybd/blob/938be8b2f19735c229d3b49f40cea5936b61965c/src/overlaybd/registryfs/registryfs.cpp#L295-L302

Example curl of what I mean

                curl -v -X POST -H "Content-Type: application/x-www-form-urlencoded" -d \
                "grant_type=refresh_token&service=$registry&scope=$scope&refresh_token=$acr_refresh_token" \
                https://$registry/oauth2/token

juliusl avatar Oct 06 '22 04:10 juliusl

abstract an out auth api and dynamic link the implementation? @Coldwings any suggestions?

liulanzheng avatar Oct 08 '22 06:10 liulanzheng

Looks like this is working now so closing.

juliusl avatar Feb 06 '23 22:02 juliusl

Add one more configuration option to set the token request method is a simple way to fit AzureCR situation. Both a dynamic linked plugin and a tcp/domain socket http server as a auth service proxy can fit all different kinds of auth routine, we should consider for these approach, but I think a proxy to auth is much simpler.

Coldwings avatar Feb 07 '23 03:02 Coldwings