-
Notifications
You must be signed in to change notification settings - Fork 174
docker app push scope incorrect? #752
Comments
@silvin-lubecki - Do you know of anyone that can comment on this? |
Hello @doanac , sorry for that late reply. I looked into the code and found that the error is raised here. If I read the code correctly, this error is raised only if it's the third time in a raw the server returns an error. So the error comes from the authentication server itself right? It feels like the server shouldn't return an error but just the |
The logs I showed were from my authentication server. My registry is rejecting the push because the JWT provided by the push code is only granted "pull" access. I'll spin up a complete dev environment today to provide more logs. However, the problem (as I think is happening) is that docker-app first gets a push/pull token. That token would be able to push. However, it then gets a few "pull" scoped tokens and that's the token being used to push with. |
I'm running https://github.com/docker/app/releases/download/v0.9.0-beta1/docker-app-linux.tar.gz and observing an odd issue. I feel like I've got to be doing something wrong, but I'm not seeing it.
Running
docker app push
fails with my 2.7 docker registry and custom token authentication server. The issue I've observed is that docker-app is doing a few token authentication calls with my server:As you can see from my hacked logs above, the first scope docker-app asks for has push,pull. However, the preceding ones are all "pull" only. This leads my push command to give up with:
The way I read the token authentication spec, my server should take the intersection of what you ask for and what the user has access to:
So a request with scope=
pull
should only returnpull
even if the user haspush,pull
. This is how my token server is behaving, but its breaking this command. If I return what the user can do and not the intersection (ie push,pull) then docker-app-push works fine.NOTE - docker-app-push to hub.docker.io works fine for me. So it seems my token server is to blame. However, I'm confused due to the wording of the token auth spec. Can you please help clarify?
The text was updated successfully, but these errors were encountered: