CLI Cient Authentication

[ambsw-technology]

The CLI introduces an extra wrinkle when it comes to authentication. Since we're not using the API, our local credentials doesn't get used by the client. Obviously, the simplest solution is to docker login on the client side, but that leaves a password hash in .docker/config.json so I'm trying to figure out if we can use the token infrastructure with the CLI.

[ambsw-technology]

OK. I'm having issues, but I the .docker/config.json instructions in the Swarm API documentation explain how to feed a header (token) to the CLI. It seems like we should be able to apply this to the Docker Registry v2 auth token documentation. Loosely:

• docker login on the build machine
• Make a call to https://auth.docker.io/token?service=registry.docker.io&scope=repository:<repo>:<permissions>
• on the client machine, (create or) modify ~/.docker/config.json and add:

"HttpHeaders": {
    "Authorization": "Bearer <token>"
}

NOTE: This token (at least by default) expires in 300 seconds. Perhaps the simplest way to handle this is to get a new token (and pass it to the client) for each Docker CLI call.

[ambsw-technology]

The same question was asked here. I've replied to see if I can solicit a response from the original poster or community.

[ambsw-technology]

Created an issue on the docker repo.

[ambsw-technology]

I finally resolved the bearer token issue. It was an authentication issue when requesting the token that was causing an empty access section (but obfuscated by the token encoding). All I needed was to add a header to the token request: Authorization: Basic <base64 encoded "username:password">

I'm going to work up some code that obtains and relays a token to the client. Once I get it working, I'll provide it here so you can consider running something comparable before the relevant CLI calls.

[ambsw-technology]

TL;DR the docker folks recommend logging in on the target or logging in locally and pushing the docker conf file to the target.

After resolving all of these bearer token issues, I learned that Bearer tokens cannot be manually injected into the CLI. The "long-lived refresh tokens" that are supposed to fill this role are also unsupported. Finally, there's a credential manager option, but it doesn't sound like it adds much for the (considerable) trouble. The full exchange can be found on the docker ticket.

I don't think it's a good idea to automatically distribute a user's credentials (the docker conf strategy does this). Instead, I think it makes sense to document the limitation and wait until long lived refresh tokens are an option.