Adapt (semi-)standard OAuth to Docker's token system.
Needs custom registry build because distribution/distribution#2875 (See ghcr.io/beryju/distribution:jwt)
TOKEN_URL
: URL to send POST Token request toCLIENT_ID
: OAuth Client IDSCOPE
: Special scope to append to requestsLOG_LEVEL
: Log level, defaults to info, can be set to trace which will print out credentials for debugging
Optional variables
ANON_USERNAME
: Credentials to be used when the client doesn't send any (optional)ANON_PASSWORD
: Credentials to be used when the client doesn't send any (optional)ANON_KUBE_JWT
: (Requires kubernetes) If set, will use the current pod's service account as anonymous credentialsPASS_JWT_USERNAME
: Username clients can use to pass a JWT directly as password (optional)SESSION_KEY
: Secret key used for sessions (only used when registry is used in a browser, for example https://github.com/Joxit/docker-registry-ui)
Scope mapping with this code to allow everything:
scopes = request.http_request.POST.get("scope", "").split()
access = []
for scope in scopes:
if scope.count(":") < 2:
continue
type, name, actions = scope.split(":")
access.append({
"type": type,
"name": name,
"actions": actions.split(","),
})
return {
"access": access,
}
Create with unique scope name, add scope to provider and configure env correctly