Signin required by admin - but it is not

[ViggoV]

Description

Every so often when i turn on my laptop Docker signs me out, and then tells me than signin is required by my admin. My admin has not set any such restrictions and, as far as I can tell, should not have any authority over my local docker installation, since my account is not owned by the Organization, but is only a member.

Reproduce

I am not sure exactly what goes wrong but these are the conditions under which I experience the bug:

• I open my computer, presumably the login token is expired
• Docker desktop immediately opens my browser, telling me that I'm signed out
• The menu bar dropdown shows a minimal set of options and an orange icon with a text stating that signin is required by my admin (which it is not)

Note: the issue does not occur if I sign out manually

Expected behavior

Docker desktop should launch normally, optionally letting me know that I'm signed out. Ideally only notify me if and when I am trying to pull from a private repository.

docker version

Client:
 Version:           27.2.0
 API version:       1.47
 Go version:        go1.21.13
 Git commit:        3ab4256
 Built:             Tue Aug 27 14:14:45 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.34.2 (167172)
 Engine:
  Version:          27.2.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.21.13
  Git commit:       3ab5c7d
  Built:            Tue Aug 27 14:15:41 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.20
  GitCommit:        8fc6bcff51318944179630522a095cc9dbf9f353
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    27.2.0
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.16.2-desktop.1
    Path:     /Users/vef/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.2-desktop.2
    Path:     /Users/vef/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.34
    Path:     /Users/vef/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Alpha) (Docker Inc.)
    Version:  v0.0.15
    Path:     /Users/vef/.docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/vef/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.25
    Path:     /Users/vef/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /Users/vef/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.3.0
    Path:     /Users/vef/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/vef/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.13.0
    Path:     /Users/vef/.docker/cli-plugins/docker-scout

Server:
 Containers: 1
  Running: 0
  Paused: 0
  Stopped: 1
 Images: 16
 Server Version: 27.2.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.10.4-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 10
 Total Memory: 7.655GiB
 Name: docker-desktop
 ID: a624d95d-8d99-40e1-8e51-2a4c50520e0c
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/vef/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

C143C871-FDEA-4805-A439-17B7216786F5/20240924080540

Additional Info

No response

[jpbriend]

Hey @ViggoV , according to the logs, when you start Docker Desktop and get logged out, the reason is because there is no network connectivity to https://hub.docker.com/api/content/v1/entitlement/.... Would you mind trying to reproduce the bug but not when the computer starts? (ie: when you have fully working network connectivity)

[jpbriend]

Also, there are 2 ways of enforcing SignIn by administrators. You can checks these files on your laptop:

• /Library/Application Support/com.docker.docker/registry.json
• /Library/Application Support/com.docker.docker/desktop.plist If one of these files is present on your filesystem, then your admin is enforcing SignIn with an account belonging to your organization.

[ViggoV]

@jpbriend Neither of those files exist

As mentioned in the original post I cannot replicate it when signing out and in while the machine is on. It only happens when I boot up, and only occasionally (presumably when my login token expires). Since you mention network connectivity I suspect our Cloudflare Warp setup is part of the problem. It tends to cause some "no internet" issues now and again, but it is still a bug that Docker insists that I'm required to sign in.

Also, I rarely need to be signed in, since all of our private images are build in CI and never used locally. It seems counterproductive for security to force sign in, as it means the computer always have access to the private repository should in fall into wrong hands.. But i digress

[jpbriend]

Docker Desktop has a mechanism to handle network issues at startup (the most common use-case is the computer starts Docker Desktop so fast that wifi does not yet have time to connect): it retries to automatically sign-in the user every 10 seconds. Having your login token expire should be quite rare because we use an access_token (TTL a few minutes) and a refresh_token (many days). IIRC the refresh_token expires after 30 days if not used or after 90 days if used. That would mean if you use Docker Desktop at least once a month, you should be asked to sign-in again 90 days after your previous sign-in. But it seems to be more often in your case, am I right?

Except these 2 files present on the file system, only enabled Business features (such as Enhanced Container Isolation) can require you to sign in. According to the diagnostic, you did not enabled this feature. To me it looks like a bug where the sign-in enforcement mechanism is triggered when it shouldn't. The tricky part is now going to be able to reproduce the bug.

Whenever the bug occurs again, would you mind generating a new diagnostic as soon as sign-in is enforced? (don't sign-in again, you can generate a diagnostic using CLI even if Docker Desktop is waiting for you to sign-in: https://docs.docker.com/desktop/troubleshoot/#diagnose-from-the-terminal#mac)

[ViggoV]

I'll try to remember it, but it is quite rare that I find myself logged out. 30 days sounds about right. I almost never use the desktop app as I prefer CLI, and I also almost never push or pull from the private repository. Might that be a factor?

[jpbriend]

@ViggoV I found the bug, I'm working on a fix. It will not get into 4.35 but definitively in 4.36.

[ViggoV]

Wonderful! Thanks for your help