Skip to content

Trying to connect to private registry with custom token auth (not a bug, just looking for help) #421

New issue
New issue
Open
Open
Trying to connect to private registry with custom token auth (not a bug, just looking for help)#421
@zenbones

Description

@zenbones
zenbones
opened on Apr 14, 2025

I'm running docker-registry-ui with docker compose. Our private registry, running on another server, uses token auth, and we have a custom auth server, and that has been working fine for some time. The docs for token auth with this project suggest...

In this image, we will replace the docker client/daemon by the Docker Registry UI. Here are the steps:

1. Attempt to get a resource (catalog, image info, image delete) with the registry.
2. If the registry requires authorization it will return a `401 Unauthorized` HTTP response with information on how to authenticate.

This is true, all good so far.

3. The docker registry ui makes a request to keycloak for a Bearer token.
  1. Your browser will use the [Basic Access Authentication Protocol](https://en.wikipedia.org/wiki/Basic_access_authentication#Protocol). But keycloak does not support this protocol... That's why we need a nginx proxy on top of keycloak.
  2. Your proxy will receive a request on /auth/realms/{realm name}/protocol/docker-v2/auth without Authentication header. It will return a 401 Unauthorized HTTP response with WWW-Authenticate header.

Not so true. Looking at the dev tools in the web app I see a single request for...

http://<host>/v2/_catalog?n=1000
Request Method:
GET

...that returns a 401, and I get no further requests on any path. With tcpflow I see the request above (3 times actually), and 3 responses...

010.000.002.119.00080-010.000.000.015.62553: HTTP/1.1 401 Unauthorized
Server: nginx/1.27.4
Date: Mon, 14 Apr 2025 22:02:37 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 87
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://<host>/<path>/docker/auth",service="myservice"
X-Content-Type-Options: nosniff
P3P: CP="Contact [email protected] for our policy."

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

But no further requests.

Should the ui be making a request on the...
/auth/realms/{realm name}/protocol/docker-v2/auth
...path?

Am I doing something wrong?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions