Add Token Login

[bibby]

The introduction of basic-auth login (#30) is a good first step towards registries for groups. As groups grow, and push/pull actions need granular restriction, the group finds itself in need of the token-based authentication method.

Using the existing login form, the username and password would relay to an authentication service in exchange for a JSON Web Token. Communication with the registry then includes the header:

Authorization: Bearer {jw_token}

One example authorization service is opendns/registry-oauth-server

[parabuzzle]

Crane operator is a browser on top of your chosen registry v2 compliant service. It doesn't have any ties to how push and pull authorization works... You implement that in the registry. The feature implemented in issue #30 is the addition of a username and password box that checks the auth against the backend registry, saves the info in the session and then uses that info to authenticate api calls to the registry's preferred method for http as per the api spec.. as of today (basic auth).

Once the api supports Bearer token auth, I will be glad to add that as an option for how to authenticate to the registry.

API docs: https://docs.docker.com/registry/spec/api/#base
Setting up your own registry: http://www.mikeheijmans.com/docker/2016/05/18/setting-up-your-own-docker-registry/

[bibby]

Thanks, Mike. I appreciate your project and respect your reasoning.

You are correct that restrictions on push and pull is a negotiation between the registry and the authorization service. However, when the auth method is set to 'token', the 'basic' auth goes away.

Token-backed authentication has been supported by the api since version 2.0.0, and I've managed to cobble together a working implementation for craneoperator on a fork.

I've never written Ruby, so I'll withhold a pull request; but I still wanted you to be aware. A docker distribution design decision was such that tokens are issued with very limited scopes, making it necessary to make requests for individual items as needed. To save some overhead, I added a LRUCache to retain client tokens for a short time.

The response so far from our organization is positive, and we encourage your experimentation with token-backed authenticators should you find the time.

A new configuration item REGISTRY_AUTH_TYPE (values: basic or token) set the expectation, and should match what is configured on the registry. Auth host is not needed, as the location and specific scope needed is reported by the registry in its initial 401.

Cheers!

[jdel]

I would very much like to have this implemented ! 👍

[parabuzzle]

ok... I did not know that. Neat! I'll try to prioritize this in.. Or if you want to open a pull request, I'm happy to work with you on getting it in :)

[jdel]

I haven't written any ruby in ages, but @bibby 's code doesn't look like it has any major flaws to me.

Only thing I can think about is to have a TOKEN_CACHE variable to select the cache TTL and set to 0 to disable cache completely.

Happy to help testing this pull request.

[bibby]

I'm also happy to defer a real pull request to someone with more Ruby experience.

[parabuzzle]

@bibby can you open a pull request for this from your fork please? I'm happy to work with you on any syntax or other things that may need to be tweaked through the PR and review process.