hub-feedback
hub-feedback copied to clipboard
docker
Dockerhub token server always issues a token
Problem description
When requesting an auth token from the Dockerhub token server, it always responds with a token, without checking whether my request for a token was authenticated with credentials of a user with requested access to the repository, or even whether the repository exists.
For example, this should fail, because it's made without credentials, and anonymous users cannot push to this repository. Instead, it responds with a token:
https://auth.docker.io/token?scope=repository%3Agoogle%2Fcloud-sdk%3Apush%2Cpull&service=registry.docker.io
Likewise, this should fail, because the specified repository g00000000000oogle/cloud-sdk doesn't exist. Instead, it responds with a token:
https://auth.docker.io/token?scope=repository%3Ag00000000000oogle%2Fcloud-sdk%3Apush%2Cpull&service=registry.docker.io
This also happens when the request to the token server is authenticated as my Dockerhub user, which also does not have push access to that repository.
This also happens if you only request the push scope, not just push,pull:
https://auth.docker.io/token?scope=repository%3Agoogle%2Fcloud-sdk%3Apush&service=registry.docker.io
In contrast, GCR's token server correctly blocks me from getting a token with push,pull scope with anonymous credentials (the project exists, but can't be pushed to anonymously):
https://gcr.io/v2/token?scope=repository%3Ajasonhall-kube%2Ffoo%3Apush%2Cpull&service=gcr.io
And likewise when the repository (i.e., GCP project) doesn't exist:
https://gcr.io/v2/token?scope=repository%3Ag000000000gle-kube%2Ffoo%3Apush%2Cpull&service=gcr.io
It also blocks me from getting a token when the project does exist, but I don't have permission to push the image.
It seems that Dockerhub's token server is not compliant with Docker's own registry spec. From Token Authentication Specification > Requesting a Token:
After authenticating the client (which may simply be an anonymous client if no attempt was made to authenticate), the token server must next query its access control list to determine whether the client has the requested scope. In this example request, if I have authenticated as user jlhawn, the token server will determine what access I have to the repository samalba/my-app hosted by the entity registry.docker.io.
As a result, it seems to be impossible to check whether credentials can be used to push to Dockerhub without actually attempting to initiate an upload, which means an extra HTTP request.
Security Issues
I don't believe this presents an inherent security issue; attempting to use the token to push an image still fails like you would expect.
We are clearing up our old issues and your ticket has been open for one year with no activity. Remove stale label or comment or this will be closed in 15 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
We are clearing up our old issues and your ticket has been open for 6 months with no activity. Remove stale label or comment or this will be closed in 15 days.
We are clearing up our old issues and your ticket has been open for 6 months with no activity. Remove stale label or comment or this will be closed in 15 days.
Thanks for reporting this @imjasonh!
Added an investigating label to keep the issue closing bot at bay
