Auth.docker.io returns response with wrong content-type

skrech1 · March 2, 2022, 3:14pm

Hello,

Since today, 02 March 2022, auth.docker.io started to return auth token responses with wrong Content-Type header: “text/plain” while it should return response with “application/json”. Using the example from https://docs.docker.com/registry/spec/auth/token/:

$ curl -i -L 'https://auth.docker.io/token?service=registry.docker.io&scope=repository:samalba/my-app:pull,push'
HTTP/1.1 200 OK
date: Wed, 02 Mar 2022 14:54:50 GMT
content-type: text/plain; charset=utf-8
transfer-encoding: chunked
strict-transport-security: max-age=31536000

{"token":"eyJhb...Ug","access_token":"eyJhb...Ug","expires_in":300,"issued_at":"2022-03-02T14:54:50.611161398Z"}

Even supplying Accept header doesn’t help:

$ curl -i -L -H "Accept: application/json" 'https://auth.docker.io/token?service=registry.docker.io&scope=repository:samalba/my-app:pull,push'
HTTP/1.1 200 OK
date: Wed, 02 Mar 2022 14:54:50 GMT
content-type: text/plain; charset=utf-8
transfer-encoding: chunked
strict-transport-security: max-age=31536000

{"token":"eyJhb...Ug","access_token":"eyJhb...Ug","expires_in":300,"issued_at":"2022-03-02T14:54:50.611161398Z"}

This might not seem like a big issue, but crashes some libraries that expect correct Content-Type to function properly.

frossie · March 2, 2022, 8:29pm

Thanks for reporting this, it helped us understand what was going on (and I can confirm it is a big issue)

athornton · March 2, 2022, 8:35pm

Given that one of the clients that cares is Kubernetes-when-doing-authenticated-image-pulls, it’s a very big issue indeed.

joshbaran08 · March 2, 2022, 9:02pm

It may also be possibly affecting AWS ECS pulls as well. All of my Fargate services suddenly stopped working today with the following error:

CannotPullContainerError: inspect image has been retried 1 time(s): failed to resolve ref “docker.io/rrepo/image:dev”: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: au…

And that is the whole error. AWS truncated it at “au…”

I can’t be sure it is related, but the timing lines up, and it has to do with auth, so I figured I should mention it here in case.

athornton · March 2, 2022, 9:44pm

It’s worse than ECS and GKE, as amazing as that is. It’s anything Kubernetes pulls with a pull-secret. The whole message looks like this:

Failed to pull image “”: rpc error: code = Unknown desc = failed to pull and unpack image “”: failed to resolve reference “”: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

athornton · March 2, 2022, 9:46pm

It looks like Docker has fixed it on their end again.

joshbaran08 · March 2, 2022, 9:47pm

AWS pulls started working again for me as well.

skrech1 · March 2, 2022, 10:47pm

Yes, it seems to be fixed.

curl -i -L 'https://auth.docker.io/token?service=registry.docker.io&scope=repository:samalba/my-app:pull,push'
HTTP/1.1 200 OK
content-type: application/json
date: Wed, 02 Mar 2022 22:48:03 GMT
transfer-encoding: chunked
strict-transport-security: max-age=31536000

{
 "token": "eyJh...828WJg",
 "access_token": "eyJhb...828WJg",
 "expires_in": 300,
 "issued_at": "2022-03-02T22:48:03.880515791Z"
}⏎