peusebiu
commented
1 month ago Hello @andesvl-klarrio
Unfortunately we tried in the past to make bearer auth work with other authentication options.
The problem is that tools(like skopeo) do not support multiple authentication challenges: https://github.com/containers/image/blob/1dbd8fbbe51653e8a304122804431b07a1060d06/docker/wwwauthenticate.go#L86
So tools will take the first challenge and ignore the other sent by zot...
Thank you for trying out zot!
rchincha
andesvl-klarrio
Is your feature request related to a problem? Please describe.
We want to integrate Zot with our IdP (Keycloak) via OIDC. Our users should be able to authenticate to the Zot UI through the standard OIDC flow. However, we also want to streamline the process of setting up OCI credentials for our users, allowing them to pull and push without manually installing API keys.
To achieve this, we plan to develop a simple CLI tool that can obtain a token from our IdP using the OIDC device grant flow. Currently, there is no way to authenticate to the Zot API to obtain API keys using these tokens. Because, enabling bearer authentication disables all other authentication methods, which conflicts with the OIDC flow needed for the UI.
Describe the solution you'd like
We need a solution that allows API keys to be created via a Zot endpoint using bearer tokens while maintaining compatibility with other authentication methods.
If there are any suggestions for a proper approach, we are happy to contribute an implementation. We don't understand why enabling bearer authentication disabled all other authn.
Describe alternatives you've considered
Using only bearer token authentication is problematic for us.
Additional context
We are building a cloud-indepent multitancy platform on top of Kubernetes and want to host our images in Zot. To integrate Zot, we'd like to use multiple authentication methods for various actors.