Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"devcontainer features publish" fails to log in with Artifactory #691

Closed
imphil opened this issue Nov 22, 2023 · 2 comments · Fixed by #692
Closed

"devcontainer features publish" fails to log in with Artifactory #691

imphil opened this issue Nov 22, 2023 · 2 comments · Fixed by #692
Assignees
@joshspicer

Comments

@imphil
Copy link
Contributor

imphil commented Nov 22, 2023
edited
Loading

We're using Artifactory as container registry and I'm trying to use it to store a Dev Container Feature. Unfortunately, the login fails.

I have setup a Docker credential helper to return the username and token, but we're not even getting there:

$ devcontainer features publish --registry docker-eu.artifactory.example.com -n my-repo/my-project devcontainer-features/src/git-absorb --log-level=trace
[3 ms] @devcontainers/cli 0.54.0. Node.js v20.9.0. linux 4.18.0-477.27.1.el8_8.x86_64 x64.
[3 ms] Packaging single feature...
[27 ms] Packaged feature 'git-absorb'
[34 ms] Processing feature: git-absorb...
[34 ms] > input: docker-eu.artifactory.example.com/my-repo/my-project/git-absorb
[34 ms] >
[34 ms] > resource: docker-eu.artifactory.example.com/my-repo/my-project/git-absorb
[34 ms] > id: git-absorb
[34 ms] > owner: my-repo
[34 ms] > namespace: my-repo/my-project
[34 ms] > registry: docker-eu.artifactory.example.com
[34 ms] > path: my-repo/my-project/git-absorb
[34 ms] >
[34 ms] > version: latest
[34 ms] > tag?: latest
[34 ms] > digest?: undefined
[35 ms] Feature Annotations: {"dev.containers.metadata":"{\"id\":\"git-absorb\",\"name\":\"Install git-absorb\",\"version\":\"1.0.0\",\"description\":\"Install git absorb (https://github.com/tummychow/git-absorb)\",\"installsAfter\":[\"ghcr.io/devcontainers/features/common-utils\"]}"}
[35 ms] Fetching published versions...
[251 ms] [httpOci] Attempting to authenticate via 'Bearer' auth.
[252 ms] [httpOci] WWW-Authenticate header is not in expected format. Got:  Bearer realm="https://docker-eu.artifactory.example.com/artifactory/api/docker/null/v2/token",service="docker-eu.artifactory.example.com"
[252 ms] Request failed
[252 ms] (!) ERR: Failed to publish 'docker-eu.artifactory.example.com/my-repo/my-project/git-absorb'

The scope key is not part of the response, which seems to be allowed according to https://datatracker.ietf.org/doc/html/rfc6750#section-3 (as referenced in https://distribution.github.io/distribution/spec/auth/token/).

I'm not even close to understanding how the auth flow works, so I'd appreciate further input on that.

Container Registry: Artifactory Enterprise Plus 7.55.8 rev 75508900
@imphil imphil mentioned this issue Nov 22, 2023
Merged
imphil added a commit to imphil/cli that referenced this issue Nov 22, 2023
@imphil
Fix authentication against Artifactory
98c90e7 
To authenticate against an OCI registry the code currently requires a
`scope` attribute in the `WWW-Authenticate` header. This key is optional
according to RFC 6750 [1], an empty string can be used if it's not
present.

Artifactory does not include the `scope` attribute and hence
authentication fails currently. Fix that by making the attribute
optional.

[1] "Use of the "scope" attribute is OPTIONAL."

Fixes devcontainers#691
@imphil
Copy link
Contributor Author

imphil commented Nov 22, 2023

With #692 I'm able to successfully push a feature to Artifactory.

@samruddhikhandale
Copy link
Member

Thank you for reporting the issue and the quick fix, left a review comment.

imphil added a commit to imphil/cli that referenced this issue Nov 27, 2023
@imphil
Fix authentication against Artifactory
dc41f2f 
To authenticate against an OCI registry the code currently requires a
`scope` attribute in the `WWW-Authenticate` header. This key is optional
according to RFC 6750 [1], an empty string can be used if it's not
present.

Artifactory does not include the `scope` attribute and hence
authentication fails currently. Fix that by making the attribute
optional.

[1] "Use of the "scope" attribute is OPTIONAL."

Fixes devcontainers#691
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joshspicer joshspicer

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix authentication against Artifactory imphil/cli
3 participants
@imphil @joshspicer @samruddhikhandale