search

project-zot / zot

zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)
https://zotregistry.dev
Apache License 2.0
931 stars 99 forks source link

[Feat]: Obtain apikeys via CLI with IdP integration #2540

Open andesvl-klarrio opened 3 months ago

andesvl-klarrio commented 3 months ago

Is your feature request related to a problem? Please describe.

We want to integrate Zot with our IdP (Keycloak) via OIDC. Our users should be able to authenticate to the Zot UI through the standard OIDC flow. However, we also want to streamline the process of setting up OCI credentials for our users, allowing them to pull and push without manually installing API keys.

To achieve this, we plan to develop a simple CLI tool that can obtain a token from our IdP using the OIDC device grant flow. Currently, there is no way to authenticate to the Zot API to obtain API keys using these tokens. Because, enabling bearer authentication disables all other authentication methods, which conflicts with the OIDC flow needed for the UI.

Describe the solution you'd like

We need a solution that allows API keys to be created via a Zot endpoint using bearer tokens while maintaining compatibility with other authentication methods.

If there are any suggestions for a proper approach, we are happy to contribute an implementation. We don't understand why enabling bearer authentication disabled all other authn.

Describe alternatives you've considered

Using only bearer token authentication is problematic for us.

  1. We need a solution for metrics scraping (basic auth works fine for us there).
  2. We want to integrate with our IdP for single-sign-on.
  3. We want to authenticate Kubernetes nodes/containerd (so we need basic auth/mutual tls).

Additional context

We are building a cloud-indepent multitancy platform on top of Kubernetes and want to host our images in Zot. To integrate Zot, we'd like to use multiple authentication methods for various actors.

eusebiu-constantin-petu-dbk commented 3 months ago

Hello @andesvl-klarrio

Unfortunately we tried in the past to make bearer auth work with other authentication options.

The problem is that tools(like skopeo) do not support multiple authentication challenges: https://github.com/containers/image/blob/1dbd8fbbe51653e8a304122804431b07a1060d06/docker/wwwauthenticate.go#L86

So tools will take the first challenge and ignore the other sent by zot...

Thank you for trying out zot!

rchincha commented 3 months ago

This is also something the OCI community is looking at: https://github.com/opencontainers/wg-auth/issues/12

andesvl-klarrio commented 3 months ago

I may be misunderstanding. But aren't apikeys already a solution to get past the 'OCI authn restriction'. So if Zot can create apikeys via its own (non-oci?) authn implementation (at least for that endpoint), the problem that I'm having seems to be solved. I don't think you need to support multiple auth headers on single OCI requests, just the login via apikey as you already do.