dockerhub-description icon indicating copy to clipboard operation
dockerhub-description copied to clipboard
verified publisher icon peter-evans

Support usage of Organization Access Tokens (OAT)

Open dmohns opened this issue 1 year ago • 5 comments

Hey 👋

loving this Github Action so far!

Problem description:

Our org recently moved to use Organization Access Tokens (OAT) rather than Personal Access Tokens (PAT) in our deployment pipelines, see https://docs.docker.com/security/for-admins/access-tokens/

This works well for all other actions which Push images to DockerHub. However, the update-description action fails with

2024-12-03T09:06:54.3973709Z ##[group]Run peter-evans/dockerhub-description@v4
2024-12-03T09:06:54.3975152Z with:
2024-12-03T09:06:54.3976736Z   username: ***
2024-12-03T09:06:54.3977895Z   password: ***
2024-12-03T09:06:54.3979062Z   repository: ***/micropowermanager-backend
2024-12-03T09:06:54.3980973Z   short-description: Open Source Management Tool for Decentralized Utilities
2024-12-03T09:06:54.3982679Z ##[endgroup]
2024-12-03T09:06:54.4475667Z Reading description source file
2024-12-03T09:06:54.4491208Z Acquiring token
2024-12-03T09:06:54.7319170Z ##[error]Unexpected response: 401 Unauthorized

It would be great if we can use the update-description with OAT.

Additional information:

I don't fully understand where the issues is coming from. It might be related to the fact that OAT and PAT have slightly different permission levels. For example, for PAT I chose Read, Write, Delete as scope, while OAT have scope Push and Pull.

dmohns avatar Dec 03 '24 09:12 dmohns

Hi @dmohns

It's not clear to me from the documentation whether these tokens support the API this action uses.

Push and Pull doesn't seem like the right scope to me. Is there a more permissive scope with Admin-like privilege?

I don't have access to this feature so I can't check. 😅

peter-evans avatar Dec 06 '24 12:12 peter-evans

This looks a lot like some issue on DockerHub side with this new tokens. I guess they are in beta after all 😄

I did some testing here on my side. Actually the login call is already causing problems. Trying to run only the login from my local machine yields

{
  "detail": "Cannot log into an organization account"
}

I also noticed here in the Docker Hub API docs that

[!NOTE] As of Monday, September 16, 2024, this route requires a PAT instead of a password if your organization has SSO enforced.

Maybe this is interfering.

I will raise the issue to DockerHub. Let's see what the response is. Keeping this issue open for visibility.

dmohns avatar Dec 06 '24 14:12 dmohns

Looks like you are using the deprecated /v2/users/login endpoint. I wonder if things will just work if you switch to the recommended /v2/auth/token endpoint instead.

jspiewak avatar Apr 02 '25 19:04 jspiewak

I created PR #311 for updating the endpoint as @jspiewak mentioned. This does fix the 401 issue when creating tokens using an OAT, but it would appear that OATs still lack sufficient permissions to use the /v2/repositories/ endpoint.

@peter-evans do you happen to know if there's any public documentation of that /v2/repositories/ endpoint? It's not in with the rest of the Docker Hub API and I was hoping any sort of documentation could clear up our issues with using OATs.

ianpittwood avatar Apr 03 '25 14:04 ianpittwood

Checking the API Docs (https://docs.docker.com/reference/api/hub/latest/) I'm confused as to how this is supposed to be working anyways. Login seems to work, but there is no PATCH endpoint for updating anything except tag (searching for "/v2/repositories/{repository}"). or what are the docs I should rather be looking at?

D3strukt0r avatar Oct 13 '25 18:10 D3strukt0r