Docker Community Forums

Share and learn in the Docker community.

Custom docker autheticator - resource is denied


(Ivandilelio) #1

Hi all,
I implementing a custom authentication middleware like Cesanta Docker Auth.
After the login my docker-auth answer with a correct jwt token and into the Payload section we can found:
{
“aud”: “dev-registry.myprivatedomain-com”,
“iss”: “dev-registry.myprivatedomain-com”,
“sub”: “ivan”,
“exp”: 1702682517,
“nbf”: 1516272517,
“iat”: 1516282517,
“jti”: “tvAnoCETDeuPggte1ydnyLV9JPkAOgqiDgVnYbddEzt3mDigwPnbmsG-OAzU8Hfp”,
“access”: [
{
“type”: “repository”,
“name”: “ivan/web”,
“action”: [
“pull”,
“push”
]
}
],
“seq”: 1
}

After successful login I did two steps:
docker tag b68246d2fe83 dev-registry.myprivatedomain-com/ivan/web

and push:
docker push dev-registry.myprivatedomain-com/ivan/web

without any success, because I receive continuously ( denied: requested access to the resource is denied )

During the push handshake, my docker auth receive the refresh token rest to authorize the scope, and my docker-auth answer is:
{ access_token: ‘eyJ0eXAiOiJK…’,
scope: ‘repository:dev-registry.myprivatedomain.com/ivan/web:pull,repository:dev-registry.myprivatedomain.com/ivan/web:push’,
expires_in: 360000,
issued_at: ‘2018-01-18T13:35:41.458Z’,
refresh_token: ‘eyJ0eXAiOiJKV1Q …’ }
Where the new refresh token and access token are both a valid JWT Token with the same Payload data section showed before.

I also tried to add the hostname of my private registry into the jwt token access.name subfield, without success.
I also tried to modify the scope field like to repository:dev-registry.myprivatedomain.com/ivan/web:pull,push ( about this point the Docker documentation have one difference because the Grammar accept a string like ‘repository:dev-registry.myprivatedomain.com/ivan/web:push,pull’ and the answer example show a string as 'repository:dev-registry.myprivatedomain.com/ivan/web:pull,repository:dev-registry.myprivatedomain.com/ivan/web:push. )

Where is my error? Why the registry continue to answer me ( denied: requested access to the resource is denied )

Thank’s
Ivan