hub-feedback icon indicating copy to clipboard operation
hub-feedback copied to clipboard
verified publisher icon docker

Unable to list an org's private repositories and tags using an OAT

Open JuliusDegesys opened this issue 10 months ago • 3 comments

I have an internal service that returns the list of private repositories and tags associated with an org on docker hub for selection in our webapp.

I am able to use a PAT to generate a bearer token. However, I would prefer to use an OAT for all of the same benefits listed here: https://www.docker.com/blog/introducing-organization-access-tokens/.

My current approach is to send an HTTP POST request to the /users/login endpoint.

   curl -X POST https://hub.docker.com/v2/users/login \
     -H "Content-Type: application/json" \
     -d '{"username": "'$DOCKER_HUB_USERNAME'", "password": "'$DOCKER_HUB_PASSWORD'"}'

With a username and a PAT, this returns a valid response containing a bearer token that I can use to access https://hub.docker.com/v2/repositories/{org_name}

With an OAT, this call returns {"detail":"Cannot log into an organization account"}.

I'm able to use docker login -u $ORG_NAME and the OAT works for the login. I've tried also using the OAT directly as the Bearer token (header: {"Authorization": "Bearer <OAT>"}), but this doesn't seem to work either.

Is there a way to migrate this use case to an OAT? Or is this not yet supported?

JuliusDegesys avatar Feb 15 '25 16:02 JuliusDegesys

FWIW, I saw that https://docs.docker.com/security/for-admins/access-tokens/ says that OATs are incompatible with Docker REST APIs, but this is the Docker Hub REST API. Or are those the same thing?

JuliusDegesys avatar Feb 15 '25 16:02 JuliusDegesys

They are the same thing. Initially, OATs only had scopes to work against the registry itself (push and pull). We are incrementally adding more scopes so they can perform more actions. At the moment, they cannot perform repo management actions (listing, creating, etc) but they are on the roadmap.

jcarter3 avatar Feb 15 '25 17:02 jcarter3

Got it. Thanks for the clarification! I would love to see OATs be usable for the management side of things. Should I leave this issue open? Or is there another ticket I should +1 to show my support?

JuliusDegesys avatar Feb 16 '25 14:02 JuliusDegesys

Just faced this issue myself trying to list private repos and tokens. It's sad it doesn't work.

sneakyjoeru avatar Jun 20 '25 14:06 sneakyjoeru

Listing tags from private repos is a common requirement in standard CI/CD pipelines.

The current inability to use OATs with the Docker Hub API to list container tags makes it difficult—if not impossible—to switch from username/password credentials to OATs.

sarlashin-8x8 avatar Jun 26 '25 03:06 sarlashin-8x8

@sarlashin-8x8 We're still working on adding repo scopes to OATs. In the meantime, there is an OCI endpoint to list tags directly from the registry -> https://github.com/distribution/distribution/blob/main/docs/content/spec/api.md#listing-image-tags

We're also working on a proposal to improve the data that is returned here so it includes digest, creation time, etc.

But the Hub APIs should support OATs Soon ™

jcarter3 avatar Jun 26 '25 21:06 jcarter3