Working group proposal for auth

[sudo-bmitch]

Signed-off-by: Brandon Mitchell git@bmitch.net

This PR proposes a new working group to specify authentication and authorization between registries and clients.

References:

• Existing docker specification on bearer auth: https://docs.docker.com/registry/spec/auth/token/
• Distribution spec issue: https://github.com/opencontainers/distribution-spec/issues/240
• Distribution spec issue: https://github.com/opencontainers/distribution-spec/issues/338
• OCI meeting at CloudNativeCon where the need for a working group was discussed: https://hackmd.io/nZzK_4AfRz-xgya6KkqseA

[toddysm]

@sudo-bmitch I guess this WG will address https://github.com/opencontainers/distribution-spec/issues/338 - correct?

[sudo-bmitch]

@sudo-bmitch I guess this WG will address https://github.com/opencontainers/distribution-spec/issues/338 - correct?

Yes, that should be addressed by the WG.

[dmcgowan]

I agree with having the working group for drafting the spec. It was unclear from the scope where there is any "new" functionality or use cases which this group is also aiming to support/investigate. I would consider "new" to be cases not currently support by a majority of clients/registries.

[sudo-bmitch]

I agree with having the working group for drafting the spec. It was unclear from the scope where there is any "new" functionality or use cases which this group is also aiming to support/investigate. I would consider "new" to be cases not currently support by a majority of clients/registries.

There are probably some edge cases, but a majority of the effort will be standardizing something that should work with existing servers and clients. Do we need new functionality to be a working group?

[dmcgowan]

@sudo-bmitch no, just to avoid scope creep and a never ending working group. Most the efforts to standardize existing behavior allowed limited new functionality, except for known limitations/pain points.

[sagikazarmark]

I'm glad to see this is happening.

I have a working implementation of the Docker registry authorization server spec here: https://github.com/distribution-auth/auth

I've spent some time with registry authnz lately, so I'd be happy to help however I can (work on spec, tinker with implementation, etc)

[sudo-bmitch]

Volunteers for stakeholders and proposed owners are welcome/needed.

[vsoch]

There has been some discussion in the ORAS community about use of the Docker credential file in this flow (about how many tools do it but it’s not a standard) so I’d like to suggest this is considered to be in scope here. It would be ideal to have the full flow from defining the credential through authorization standardized for common tooling and less adhoc standards in the space as we have now.

[toddysm]

@sudo-bmitch what are the next steps for this WG? I will be interested to participate because we are regularly hitting issues with auth with various registries.

[sudo-bmitch]

@toddysm proposed owners/stakeholders are needed. Feel free to nominate yourself and/or projects you represent.

[jcarter3]

I'm happy to represent Docker Hub

[imjasonh]

I'm willing to represent Chainguard.

What more do we need to get this moving?

[sajayantony]

Looks like we have enough stake holders. Request the @opencontainers/tob to consider kicking this off.

[samuelkarp]

I'll call the vote for @opencontainers/tob. Please approve, request changes, reply with LGTM, or not (and hopefully say why!).

• [x] @sudo-bmitch
• [x] @vbatts
• [x] @jdolitsky
• [x] @estesp
• [ ] @jonjohnsonjr
• [ ] @nishakm
• [x] @samuelkarp
• [x] @dmcgowan
• [ ] @cyphar

A 2/3 approval is required here, so 6/9 of the TOB members must approve.

[sudo-bmitch]

LGTM

[dmcgowan]

LGTM

[jdolitsky]

got 6 out of 9 votes, merging