harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

docker login 使用oidc用户登录 Error response from daemon: Get "https://harbor.bd.test.lanrui-ai.com/v2/": unauthorized: authentication required

Open cywang4 opened this issue 1 year ago • 8 comments

I use casdoor as oidc provider. I found that some users can login in to docker normally, but some users cannot. For those users who cannot login in using docker, I can login in using docker login again after logging in through the harbor browser console, but they cannot login in again after the token expiration time. My harbor oidc configuration is as follows: image

Docker login error is as follows:

Error response from daemon: Get "https://harbor.example.com/v2/": unauthorized: authentication required

The error log of harbor-core is as follows:

2024-02-28T09:16:29Z [ERROR] [/server/middleware/security/oidc_cli.go:68][requestID="7d9431c8-50ce-4112-9d8b-541974d13d00"]: failed to verify secret, username: perftest7, error: failed to refresh token, username: perftest7, error: oauth2: "error: grant_type: refresh_token is not supported in this application"
2024-02-28T09:16:29Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="116.236.195.166, 172.25.0.11" requestID="7d9431c8-50ce-4112-9d8b-541974d13d00" user agent="docker/20.10.10 go/go1.16.9 git-commit/e2f740d kernel/5.10.47-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.10 \(darwin\))"]: failed to authenticate user:perftest7, error:not supported

cywang4 avatar Feb 28 '24 09:02 cywang4

The detailed error log of harbor-core is as follows:

2024-02-28T09:16:29Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 688deb6d-c302-4e09-8c64-e5cb5c070492 to the logger for the request GET /v2/
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /v2/
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="688deb6d-c302-4e09-8c64-e5cb5c070492"]: an unauthorized security context generated for request GET /v2/
2024-02-28T09:16:29Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized: unauthorized"}]}
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 7d9431c8-50ce-4112-9d8b-541974d13d00 to the logger for the request GET /service/token
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /service/token?account=perftest7&client_id=docker&offline_token=true&service=harbor-registry
2024-02-28T09:16:29Z [DEBUG] [/pkg/oidc/secret.go:87]: Verifying the secret for user: perftest7
2024-02-28T09:16:29Z [DEBUG] [/pkg/oidc/secret.go:116]: Refreshing token
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_groups_claim, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_admin_group, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_groups_claim, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_admin_group, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_groups_claim, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_admin_group, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [ERROR] [/server/middleware/security/oidc_cli.go:68][requestID="7d9431c8-50ce-4112-9d8b-541974d13d00"]: failed to verify secret, username: perftest7, error: failed to refresh token, username: perftest7, error: oauth2: "error: grant_type: refresh_token is not supported in this application"
2024-02-28T09:16:29Z [DEBUG] [/core/auth/authenticator.go:145]: Current AUTH_MODE is oidc_auth
2024-02-28T09:16:29Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="116.236.195.166, 172.25.0.11" requestID="7d9431c8-50ce-4112-9d8b-541974d13d00" user agent="docker/20.10.10 go/go1.16.9 git-commit/e2f740d kernel/5.10.47-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.10 \(darwin\))"]: failed to authenticate user:perftest7, error:not supported
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="7d9431c8-50ce-4112-9d8b-541974d13d00"]: an unauthorized security context generated for request GET /service/token
2024-02-28T09:16:29Z [DEBUG] [/core/service/token/token.go:37]: URL for token request: /service/token?account=perftest7&client_id=docker&offline_token=true&service=harbor-registry

cywang4 avatar Feb 28 '24 09:02 cywang4

I think I am having the same issue with Okta, although this happens to me even using Robot Accounts. Which I thought had nothing to do with the upstream IdP and locally issued... or not?

dee-kryvenko avatar Mar 03 '24 06:03 dee-kryvenko 

2024-03-03T07:20:07Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 653c23e4-c6dc-486a-837e-fad42450f4e6 to the logger for the request GET /v2/
2024-03-03T07:20:07Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /v2/
2024-03-03T07:20:07Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="653c23e4-c6dc-486a-837e-fad42450f4e6"]: an unauthorized security context generated for request GET /v2/
2024-03-03T07:20:07Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized: unauthorized"}]}
2024-03-03T07:20:10Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 5131bebe-9849-4e80-80c1-046f7441a304 to the logger for the request POST /service/token
2024-03-03T07:20:10Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /service/token
2024-03-03T07:20:10Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="5131bebe-9849-4e80-80c1-046f7441a304"]: an unauthorized security context generated for request POST /service/token
2024-03-03T07:20:10Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id dc8858cc-e720-4b5f-96ac-20c0819120ed to the logger for the request GET /service/token
2024-03-03T07:20:10Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /service/token?offline_token=true&service=harbor-registry
2024-03-03T07:20:10Z [INFO] [/server/middleware/security/robot.go:71][requestID="dc8858cc-e720-4b5f-96ac-20c0819120ed"]: a robot security context generated for request GET /service/token
2024-03-03T07:20:10Z [DEBUG] [/core/service/token/token.go:37]: URL for token request: /service/token?offline_token=true&service=harbor-registry
2024-03-03T07:20:10Z [DEBUG] [/core/service/token/creator.go:201]: scopes: []
2024-03-03T07:20:10Z [DEBUG] [/core/service/token/authutils.go:51]: scopes: []

This comes up when I try with a Robot Account

dee-kryvenko avatar Mar 03 '24 07:03 dee-kryvenko

I traced my issue to this https://github.com/goharbor/harbor/issues/20080, not sure you are having the same issue or not...

dee-kryvenko avatar Mar 03 '24 23:03 dee-kryvenko

When login with cli, you should login with the OIDC cli secret, not the OIDC username/password. Please refer the document: https://goharbor.io/docs/2.1.0/administration/configure-authentication/oidc-auth/#using-oidc-from-the-docker-or-helm-cli

stonezdj avatar Mar 04 '24 08:03 stonezdj

@stonezdj I'm sure my docker login is using oidc cli secret login..

cywang4 avatar Mar 04 '24 09:03 cywang4

I'm not sure if it has something to do with my upgrade from harbor-2.5 to harbor-2.10

cywang4 avatar Mar 04 '24 09:03 cywang4

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar May 04 '24 09:05 github-actions[bot]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

github-actions[bot] avatar Jun 04 '24 09:06 github-actions[bot]