search

docker-archive / docker-registry

This is **DEPRECATED**! Please go to https://github.com/docker/distribution
Apache License 2.0
2.88k stars 879 forks source link

401 insufficient_scope getting /tags/list #1071

Closed hrobertson closed 8 years ago

hrobertson commented 8 years ago

Sorry to post this here as I appreciate the registry used by Docker Hub will differ from this project, but I figured this was the best place to report this.

As you can see in this example, after getting a token for scope pull, the subsequent request is denied with the error "insufficient_scope" although the required scope is still stated in the Www-Authenticate header as pull.

$ curl -i https://registry.hub.docker.com/v2/<repo>/tags/list
HTTP/1.1 401 Unauthorized
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:<repo>:pull"
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Name":"<repo>","Action":"pull"}]}]}

$ curl -i https://auth.docker.io/token?service=registry.docker.io&scope=repository:<repo>:pull
HTTP/1.1 200 OK
{"token":"eyJhbGciOiJFU..."}

$ curl -i -H "Authorization: Bearer eyJhbGciOiJFU..." https://registry.hub.docker.com/v2/<repo>/tags/list
HTTP/1.1 401 Unauthorized
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:<repo>:pull",error="insufficient_scope"
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Name":"<repo>","Action":"pull"}]}]}

(Output trimmed for clarity)

I have tried replacing pull with list and * to no avail. Am I doing something wrong or is this a bug? $ curl https://registry.hub.docker.com/v1/repositories/<repo>/tags works fine.

Thanks

harryi3t commented 8 years ago

+1 same problem

harryi3t commented 8 years ago

Hey I solved it. Actually it was mistake on my part. While getting the token I was using 

https://DTR_NAME/auth/token?service=DTR_SERVICE_NAME&scope=repository:NAMESPACE/REPOSITORY:pull

and while getting the tags, I was doing

https://DTR_NAME/v2/REPOSITORY/

Just make sure you use NAMESPACE/REPOSITORY in both places. Hope I could help.

hrobertson commented 8 years ago

Thanks for your input but I was not making that mistake. Try this yourself:

$ curl -i https://registry.hub.docker.com/v2/docker/whalesay/tags/list
HTTP/1.1 401 Unauthorized
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:docker/whalesay:pull"

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Name":"docker/whalesay","Action":"pull"}]}]}

$ curl -i https://auth.docker.io/token?service=registry.docker.io&scope=repository:docker/whalesay:pull
HTTP/1.1 200 OK

{"token":"eyJhbGciOiJFUzI1N..."}

$ curl -i -H "Authorization: Bearer eyJhbGciOiJFUzI1N..." https://registry.hub.docker.com/v2/docker/whalesay/tags/list
HTTP/1.1 401 Unauthorized
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:docker/whalesay:pull",error="insufficient_scope"

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Name":"docker/whalesay","Action":"pull"}]}]}
hrobertson commented 8 years ago

Closing as this repo is deprecated in favour of https://github.com/docker/distribution

markriggins commented 8 years ago

closed but not fixed or answered?

hrobertson commented 8 years ago

@markriggins Closed because docker/docker-registry is deprecated in favour of docker/distribution. Issue here: https://github.com/docker/distribution/issues/1676

Solution is to quote the URL.