Docker CLI client not correctly authorizing to private registry with token auth

[zee-hussain]

Description

I am having an issue with my private docker registry, which is using a token auth server I have written.

The registry is set to use https://mydomain.io/imagetoken for REGISTRY_AUTH_TOKEN_REALM. This endpoint responds to basic auth with a JWT token.

I am able to manually retrieve a token by making a request against my endpoint:
curl -v -d -X POST -u "username:password" "https://authserver.io/v1/imagetoken"

Response:

{"token":"token","access_token":"token"}

I am able to use that token to hit the registry successfully:
curl -H "Authorization: Bearer TOKEN" https://private-registry.io/v2/
Response:
{}

However, when I attempt to use docker login to authenticate with my private registry I run into issues.

docker login -u foo -p bar private-registry.io
Response:
Error response from daemon: Get "https://private-registry.io/v2/": received unexpected HTTP status: 501 Not Implemented

And I see this in the logs of the private registry:

REDACTED - - [12/Apr/2024:20:46:07 +0000] "GET /v2/ HTTP/1.1" 200 2 "" "curl/8.4.0"
REDACTED - - [12/Apr/2024:20:46:13 +0000] "GET / HTTP/1.1" 200 0 "" "curl/8.4.0"
REDACTED - - [12/Apr/2024:20:50:52 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/24.0.9 go/go1.20.13 git-commit/fca702d kernel/6.5.0-15-generic os/linux arch/arm64 UpstreamClient(Docker-Client/26.0.1 \\(darwin\\))"
time="2024-04-12T20:50:52.094748733Z" level=debug msg="authorizing request" go.version=go1.20.8 http.request.host=private-registry.io http.request.id=REDACTED http.request.method=GET http.request.remoteaddr=REDACTED http.request.uri="/v2/" http.request.useragent="docker/24.0.9 go/go1.20.13 git-commit/fca702d kernel/6.5.0-15-generic os/linux arch/arm64 UpstreamClient(Docker-Client/26.0.1 \(darwin\))" 
time="2024-04-12T20:50:52.094832267Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.20.8 http.request.host=private-registry.io http.request.id=REDACTED http.request.method=GET http.request.remoteaddr=REDACTED http.request.uri="/v2/" http.request.useragent="docker/24.0.9 go/go1.20.13 git-commit/fca702d kernel/6.5.0-15-generic os/linux arch/arm64 UpstreamClient(Docker-Client/26.0.1 \(darwin\))" 

Reproduce

1. Create server that takes basic auth and returns valid JWT
2. Start registry version registry:2.8.3
3. Attempt to curl the registry using JWT from auth server
4. Try to docker login to the registry

Expected behavior

The registry should log in successfully if it is just passing the basic auth credentials to the token server

registry version

registry:2.8.3

Additional Info

No response

[milosgajdos]

This is a question for https://github.com/moby/moby project I believe. CC: @thaJeztah

My general suspicion is: docker daemon does not seem to be able to handle calls to private registry. I am going to assume that your private registry is served over trusted TLS cert otherwise you'd need to explicitly tell docker daemon it is untrusted i.e. insecure in docker daemon.json settings. If you dont, the daemon will barf. The config goes something like this IIRC -- please check the official docs.

{
  "insecure-registries" : ["<my-registry-ip>:5000"]
}

If the registry does serve the API using a trusted TLS cert then yeah, please ask in moby/moby.

Finally, I'd strongly encourage you to stop using v2.8.x version. It's missing a lot of patches, bug fixes and performance improvements.