The realm value is a string, generally assigned by the origin server, that can have additional semantics specific to the authentication scheme.
But RFC 6750 has nothing to say about its semantics, so interpreting it as the auth-server URI seems to be a Dockerism. Similarly, the service parameter seems to be a Dockerism, with no mentions of service in RFC 6750. scope is covered in RFC 6750, which delegates the definition to RFC 6749.
With both “use realm as the auth server” and “pass through service as an auth query parameter” as Dockerisms, the RFCs are not sufficient in themselves to specify Docker's current auth protocol. These are not vanilla bearer tokens. But the information we previously supplied via authUri and authServiceis in the intial resource response, so we can stop supplying those ourselves.
Docker registries should include both of these in their
WWW-Authenticate
response, and Docker's registry does:The
WWW-Authenticate
header is specified in RFC 7235, and theBearer
token is specified in RFC 6750. RFC 7235 definesrealm
and allows for per-scheme extensions:But RFC 6750 has nothing to say about its semantics, so interpreting it as the auth-server URI seems to be a Dockerism. Similarly, the
service
parameter seems to be a Dockerism, with no mentions ofservice
in RFC 6750.scope
is covered in RFC 6750, which delegates the definition to RFC 6749.RFC 6749 covers supplying the
scope
to the auth-server as a query parameter. It also coversclient_id
, which Docker also mentions. RFC 6749 requires auth-requests to includeresponse_type=code
, which Docker does not mention; but Docker accepts the RFC value:Docker does not seem to implement RFC 6749's recommended
state
parameter.With both “use
realm
as the auth server” and “pass throughservice
as an auth query parameter” as Dockerisms, the RFCs are not sufficient in themselves to specify Docker's current auth protocol. These are not vanilla bearer tokens. But the information we previously supplied viaauthUri
andauthService
is in the intial resource response, so we can stop supplying those ourselves.