[Bug]: api keys endpoint skip oidc auth
legolego621 opened this issue · comments
zot version
v2.0.2-rc1
Describe the bug
If i use oidc method auth, after login to zot and try create apikey, i have UNAUTHORIZED code, because auth by oidc to /zot/auth/apikey does not work (work only with basic auth)
To reproduce
- Configuration
helm chart version: v2.0.2-rc1
values.yaml
replicaCount: 1
image:
repository: ghcr.io/project-zot/zot-linux-amd64
pullPolicy: IfNotPresent
tag: "v2.0.2-rc1"
strategy:
type: Recreate
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
className: "nginx"
pathtype: ImplementationSpecific
hosts:
- host: reg.example.com
paths:
- path: /
tls:
- secretName: cert
hosts:
- reg.example.com
httpGet:
scheme: HTTP
mountConfig: true
mountSecret: true
configFiles:
config.json: |-
{
"storage": {
"rootDirectory": "/tmp/zot",
"dedupe": false,
"storageDriver": {
........
}
},
"http": {
"address":"0.0.0.0",
"port":"5000",
"externalUrl": "https://reg.example.com",
"auth":{
"apikey": true,
"htpasswd": {
"path": "/secret/htpasswd"
},
"openid": {
"providers": {
"oidc": {
"issuer": "https://keycloak.example.com/realms/test",
"clientid": "project-zot",
"clientsecret": "secret....",
"keypath": "",
"scopes": ["openid", "profile", "email", "groups"]
}
}
}
},
"accessControl": {
"repositories": {
"tenant-1/**": {
"policies": [{
"users": ["user"],
"groups": ["project-zot-tenant-1"],
"actions": ["read", "create", "update", "delete"]
}],
"defaultPolicy": []
},
"tenant-2/**": {
"policies": [{
"users": ["user"],
"groups": ["project-zot-tenant-2"],
"actions": ["read", "create", "update", "delete"]
}],
"defaultPolicy": []
}
},
"adminPolicy": {
"users": ["admin"],
"actions": ["read", "create", "update", "delete"]
}
}
},
"log": {
"level":"debug"
},
"extensions": {
"search": {
"enable": true
},
"ui": {
"enable": true
},
"mgmt": {
"enable": true
},
"sync": {
"downloadDir": "/tmp/zot",
"registries": [
{
"urls": ["https://127.0.0.1:5000"],
"content": [
{
"prefix": "**",
"destination": "/tenant-1"
}
],
"onDemand": true,
"tlsVerify": false
},
{
"urls": ["https://127.0.0.1:5000"],
"content": [
{
"prefix": "**",
"destination": "/tenant-2"
}
],
"onDemand": true,
"tlsVerify": false
},
{
"urls": ["https://reg2.example.com"],
"content": [
{
"prefix": "**",
"destination": "/gitlab"
}
],
"onDemand": true,
"tlsVerify": true
},
{
"urls": ["https://docker.io/library"],
"content": [
{
"prefix": "**",
"destination": "/docker"
}
],
"onDemand": true,
"tlsVerify": true
}
]
}
}
}
secretFiles:
htpasswd: |-
admin:$2y$05$vmiurPmJvHylk78HHFWuruFFVePlit9rZWGA/FbZfTEmNRneGJtha
authHeader: "YWRtaW46YWRtaW4="
- Client tool used
I try to create apikey and have UNAUTHORIZED code error
curl -u "username_oidc:password" -X POST https://reg.example.com/zot/auth/apikey -d '{"label": "git", "scopes": ["tenant-1"]}'
{"code":"UNAUTHORIZED","message":"authentication required","detail":{"description":"The access controller was unable to authenticate the client. Often this will be accompanied by a WWW-Authenticate HTTP response header indicating how to authenticate."}}
but i can login to ui with username_oidc:password by oidc mathod auth and have only problem to access https://reg.example.com/zot/auth/apikey page (auth by admin default user can open page)
- Seen error
logs
{"level":"error","goroutine":430,"caller":"zotregistry.io/zot/pkg/api/authn.go:190","time":"2024-02-17T09:33:24.173655954Z","message":"invalid api token format"} {"level":"info","module":"http","username":"username_oidc","component":"session","clientIP":"10.233.75.194:34988","method":"POST","path":"/zot/auth/apikey","statusCode":401,"latency":"0s","bod ││ ySize":253,"headers":{"Accept":["*/*"],"Authorization":["******"],"Content-Length":["40"],"Content-Type":["application/x-www-form-urlencoded"],"User-Agent":["curl/7.81.0"],"X-Forwarded-For":["192.168.30.5"], ││ "X-Forwarded-Host":["reg.example.com"],"X-Forwarded-Port":["443"],"X-Forwarded-Proto":["https"],"X-Forwarded-Scheme":["https"],"X-Real-Ip":["192.168.30.5"],"X-Request-Id":["7761d6375e1e46aa0f480de470b2cf5a" ││ ],"X-Scheme":["https"]},"goroutine":430,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2024-02-17T09:33:24.173776652Z","message":"HTTP API"}
Expected behavior
allow to create apikey with oidc auth
Screenshots
No response
Additional context
No response
Hi @legolego621, the oidc auth workflow is more complex and requires multiple requests, which the UI implements.
We added the api keys feature specifically for oidc users as a workaround for command line tools, as an alternative.
Ideally the oidc user would login to the UI, and generate the API key from a menu there.
Unfortunately, the UI implementation is not merged yet (project-zot/zui#403).
Hi @legolego621, the oidc auth workflow is more complex and requires multiple requests, which the UI implements. We added the api keys feature specifically for oidc users as a workaround for command line tools, as an alternative. Ideally the oidc user would login to the UI, and generate the API key from a menu there.
Unfortunately, the UI implementation is not merged yet (project-zot/zui#403).
Hi, thanks for the quick response.
Please tell me how I can now generate an api key by logging in as user oidc? You mentioned that you added the api path.
@legolego621, we merged project-zot/zui#403.
Do you think you could build zot based on #2256 (which includes project-zot/zui#403), and test the UI feature for API key management? See how that works out for you.
It's in the menu available for logger in users at the top right of the page.
@andaaron
Thanks, this worked for me.
I built the zui image from commit-33524ce
@legolego621, shall we close this issue then?