AutH/AuthZ flows for registries

[toddysm]

In the distribution spec there is only a single sentence about AutH/AutZ:

This endpoint MAY be used for authentication/authorization purposes, but this is out of the purview of this specification.

And the only available description how to authenticate with registry is available in Docker auth token documentation. It seems though that different vendors interpret the flows differently and clients have different expectations about the flows.

Has the community thought of providing standardized auth and autz flows for registries? Especially interesting are use-cases with registries that have anonymous access, registries with mixed (anonymous and restricted) access as well as more sophisticated implementation of RBAC on registries. Curious to hear thoughts about this?

[sudo-bmitch]

I'd love to see that documented and standardized. I think this is a duplicate of #240.

[joshspicer]

We at the devcontainers project +1 to a standardized spec for authz/authn. We utilize the distribution spec and have received requests to support X registry, which is difficult to do with many different approaches to auth.

[XenoAmess]

We at the devcontainers project +1 to a standardized spec for authz/authn. We utilize the distribution spec and have received requests to support X registry, which is difficult to do with many different approaches to auth.

Yes, it's complicated. But that's precisely why we need a spec here...
I happen to be maintaining a registry implementation at https://github.com/oci-j/funeral. Right now, my implementation is stuck on this part since no spec exists, and I'm forced to choose between:

1. Reverse-engineering how Docker handles this (I have my reservations about Docker, but I accept that it's still the industry standard)
2. Leaving it unimplemented (which would put my blog site in a risky situation, since I'm actually using my own implementation as the registry for my k3s-based blog)

[sudo-bmitch]

There is a working group for this (see wg-auth). The effort is currently stalled due to a lack of free time to implement a proposal (I'm busy on #588 in my free time), but hopefully it will pick back up later this year. The distribution project has documentation on token auth at https://distribution.github.io/distribution/spec/auth/.

[XenoAmess]

There is a working group for this (see wg-auth. The effort is currently stalled due to a lack of free time to implement a proposal (I'm busy on #588 in my free time), but hopefully it will pick back up later this year. The distribution project has documentation on token auth at https://distribution.github.io/distribution/spec/auth/.

thanks! I had a look and impl some parts of it (then also see how docker client handle it ) and now yes it can co-work with docker client.
still, the doc you offered on https://distribution.github.io/distribution/spec/auth/#distribution-registry-v2-authentication have something with auth, yes, though https://github.com/opencontainers/distribution-spec/blob/main/spec.md have nothing with auth(at least I didn't find the OAuth2 Token Authentication part), or I missed something?

[XenoAmess]

Oh I see there be a detail.md. that make sence.

[sudo-bmitch]

You are looking at two different projects in GitHub. One is a registry implementation, the other is this specification. The rest was covered in my first two sentences above.