0

By following command snippet in https://docs.docker.com/registry/spec/auth/oauth/ as below and set access_type=offline, refresh_token is not present in returned response.

curl -iX POST https://auth.docker.io/token 
-H "Content-Type: application/x-www-form-urlencoded" 
-d "grant_type=password&username=${user}&password=${password}&service=hub.docker.io&client_id=dockerengine&access_type=offline"

Command succeeds with response below:

HTTP/1.1 200 OK
content-type: application/json
date: Tue, 04 Jan 2022 03:08:37 GMT
transfer-encoding: chunked
strict-transport-security: max-age=31536000

{
 "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDK1RDQ0FwK2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0U1RVbEdPbEZNUmpRNlEwZFFNenBSTWtWYU9sRklSRUk2VkVkRlZUcFZTRlZNT2taTVZqUTZSMGRXV2pwQk5WUkhPbFJMTkZNNlVVeElTVEFlRncweU1UQXhNalV5TXpFMU1EQmFGdzB5TWpBeE1qVXlNekUxTURCYU1FWXhSREJDQmdOVkJBTVRPMVZQU1ZJNlJFMUpWVHBZVlZKUk9rdFdRVXc2U2twTFZ6cExORkpGT2tWT1RFczZRMWRGVERwRVNrOUlPbEpYTjFjNlRrUktWRHBWV0U1WU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbnZBeVpFK09sZHgrY3hRS0RBWUtmTHJJYk5rK2hnaEg3Ti9mTFpMVDhEYXVPMXRoTWdoamxjcGhFVkNuYTFlMEZpOHVsUlZ4WG1HdWpZVDNXbnFsZ2ZpM2ZYTUQvQlBRTmlkWHZkeWprbDFZS3dPTkl3TkFWMnRXbExxaXFsdGhSWkFnTFdvWWZZMXZQMHFKTFZBbWt5bUkrOXRBcEMxNldNZ1ZFcHJGdE1rNnV0NDlMcDlUR1J0aDJQbHVWc3RSQ1hVUGp4bjI0d3NnYlUwVStjWTJSNEpyZmVJdzN0T1ZKbXNESkNaYW5SNmVheFYyVFZFUkxoZnNGVTlsSHAzcldCZ1RuNVRCSHlMRDNRdGVFLzJ3L3MvcUxZcmdIK1hCMmZBazJPd1NIRG5YWDg4WWVJd0EyVGJJMDdYNS8xQnVsaUwrUDduOWVBT1RmbDkxVlZwNER3SURBUUFCbzRHeU1JR3ZNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVBCZ05WSFNVRUNEQUdCZ1JWSFNVQU1FUUdBMVVkRGdROUJEdFZUMGxTT2tSTlNWVTZXRlZTVVRwTFZrRk1Pa3BLUzFjNlN6UlNSVHBGVGt4TE9rTlhSVXc2UkVwUFNEcFNWemRYT2s1RVNsUTZWVmhPV0RCR0JnTlZIU01FUHpBOWdEdFNUVWxHT2xGTVJqUTZRMGRRTXpwUk1rVmFPbEZJUkVJNlZFZEZWVHBWU0ZWTU9rWk1WalE2UjBkV1dqcEJOVlJIT2xSTE5GTTZVVXhJU1RBS0JnZ3Foa2pPUFFRREFnTklBREJGQWlFQTBkN3l1azQrWElabmtQb3RJVkdCeHBRSndpMzQwdExSb3R3Qzl4NkJpdWNDSUhFSmIyWGg0QzhtYVZic1Exd3ZUSCthRGV0VXhBS21lYkdXa3F6Z1J1Z1QiXX0.eyJhY2Nlc3MiOltdLCJhdWQiOiJodWIuZG9ja2VyLmlvIiwiZXhwIjoxNjQxMjY2MDE3LCJpYXQiOjE2NDEyNjU3MTcsImlzcyI6ImF1dGguZG9ja2VyLmlvIiwianRpIjoiV1dUV090ZVhnVWUwM0tWNWUwbEgiLCJuYmYiOjE2NDEyNjU0MTcsInN1YiI6ImM3YWJkMmU3LTJmNDgtNGFmNS1hOTExLTk5ZGM2MWQ2MmQ4OSJ9.D6YL422MrrS6bPv6A_BqEZa-6DhOWlkOvI2y2kq1uaIubSG09G7zodw97EE2RH2_1Wl94l0nVmN4nxSWHQvXT-e7v69XzLuO1gRxlFMZzmupn4JMRQ42UlFPM3VIKWeV3Opx4zLbtLvY1y9fR_ZSa3jcbP3HLKhBWH4dqYyp_oaFd3nVEgngEksyivqZHYu0JYID-EGw-2mZFFlLT030U3DcsFqcTsZWa1jfeDZIsxjdhEkqsxKbfqOpSY6-6p4b6Y0-1FDw1EiX2q4Y6PzbMfNJg9v_lQAftSUuCzMqrhVtrvPn07Su0nN_BpAJ5fDum5jHS1gDmmX7pnGnB0gd0g",
 "scope": "",
 "expires_in": 300,
 "issued_at": "2022-01-04T03:08:37.398945485Z"
}

Document explicitly said :

refresh_token

(Optional) Token which can be used to get additional access tokens for the same subject with different scopes. This token should be kept secure by the client and only sent to the authorization server which issues bearer tokens. This field will only be set when access_type=offline is provided in the request.

The same effect is observed when I tested deployment of a private docker registry:2.7 along with a docker_auth (https://github.com/cesanta/docker_auth, version 1.9) authentication server.

From Docker registry OAuth specification, it seems the feature is already in place but if it does not work on Docker auth server and the other project follows this specification, I can't help to wonder if this is a feature in future or just I missed somethings in my configuration.

robert
  • 397
  • 1
  • 3
  • 14
  • Try and revoke access. then authorize it again. Some systems only return the refresh token the first time its authorized and assume you stored it locally. – Linda Lawton - DaImTo Jan 04 '22 at 06:54
  • Thanks. can you elaborate on this? For auth.docker.io case, I executed the command only once on today and get that result. BTW the TTL of access token on docker registry is 300 seconds. – robert Jan 04 '22 at 06:58
  • Access tokens are short lived its the point of access tokens. Are you sure you can even get a refresh token with grant type password? What would be the point you have the password just make the request again for a new access token? Refresh tokens are used with authorization_code flow when the owner of the account may not be behind the machine at the time. You have the login and password why do you need a refresh token. – Linda Lawton - DaImTo Jan 04 '22 at 07:00
  • the only purpose of the parameters is to get refresh token at the first connection by giving user name and password. But never have refresh_token from returned response. – robert Jan 04 '22 at 18:01
  • You dont need a refresh token if you have the username and password just use that. Refresh tokens are for authorization_code grant type not passwords grant_type. This is working as intended – Linda Lawton - DaImTo Jan 04 '22 at 18:02
  • I am a bit confused now. My understanding of the docker registry oauth spec is get both access_token, refresh_token at first time connection by giving username and password. Then keep refresh_token at client side local. After access_token is expired, I can send refresh_token back to auth server to get a new access_token. This is how I interacts with other oauth projects. Have I done wrong all the time? – robert Jan 04 '22 at 18:06

0 Answers0