harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

Harbor Token Expiration (Minutes) setting

Open ep4sh opened this issue 10 months ago • 12 comments

Dear community, could you please explain some features regarding token lifetime with OIDC.

I use OIDC (keycloak) and harbor (works perfectly, btw).

My token expiration is 360min, but it looks like the token is being expired earlier than the desired timeframe. I guess it could depend on OIDC parameter like refresh token, isn't it?

Image

thanks in advance, P.

ep4sh avatar Feb 20 '25 13:02 ep4sh

the token expiration is for the distribution v2 api token to pull artifacts, and the second session timeout is for the harbor UI session timeout.

Can you explain the issue that you have in details?

wy65701436 avatar Feb 24 '25 07:02 wy65701436

Sure, as you can see, I set up 360 minutes for token expiration, unfortunately, I'm getting unauthorized error for docker CLI (approximately) every 50–60 minutes. Then I have to open harbor UI, logout, login with Keycloak, exec docker login.

I just want to perform those operations once a day (let's say once in 360m).

If you're curious about versions:

  • harbor v2.12.2
  • Docker version 27.5.1, build 9f9e405801

Thanks!

ep4sh avatar Feb 24 '25 08:02 ep4sh

same problem

fangzhengjin avatar Feb 25 '25 09:02 fangzhengjin

My guess is when the token is being created here (from user config):

  • https://github.com/goharbor/harbor/blob/main/src/core/service/token/authutils.go#L118 But unfortunately, user config loading is missing:
  • https://github.com/goharbor/harbor/blob/main/src/lib/config/userconfig.go#L94

So the default config (DefaultMgr) was used. I've also created a draft PR for it, please check.

Thanks, P.

ep4sh avatar Feb 26 '25 20:02 ep4sh

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar May 11 '25 09:05 github-actions[bot]

Still facing the issue

ep4sh avatar May 12 '25 10:05 ep4sh

Hello! I'm experiencing the same issue. I'm facing similar symptoms where the token expires earlier than expected, and I have to re-authenticate. Hoping that the proposed solution will help me too. Will be following the updates!

smuglik avatar Jun 23 '25 09:06 smuglik

Completely agree with @ep4sh and @smuglik

Sergey-Pravdyukov avatar Jun 23 '25 10:06 Sergey-Pravdyukov

I'm getting unauthorized error for docker CLI (approximately) every 50–60 minutes. Then I have to open harbor UI, logout, login with Keycloak, exec docker login.

FYI, on our side when we receive a 401: Unauthorized (e.g. pulling a chart or image), this solves it :

  1. Logout from Harbor UI
  2. Login in Harbor UI (using the OIDC, Keycloak as well)
  3. Run the failing command again from the terminal, and it just works (e.g. helm dep build, docker pull <image-from-harbor>)

AFAIK, no need to re-login like docker login.

Further details : https://github.com/goharbor/harbor/pull/21677#issuecomment-3112489304

tla-ou-tpla avatar Jul 24 '25 08:07 tla-ou-tpla

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Sep 22 '25 09:09 github-actions[bot]

Hi folks, not sure if I'm able to provide any additional details on the issue, could you please point me out, what's the next step to take? =}

thanks, P.

ep4sh avatar Sep 22 '25 13:09 ep4sh

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Nov 23 '25 09:11 github-actions[bot]