docs: add an example of authentication with Azure Container Registry#321
docs: add an example of authentication with Azure Container Registry#321wangxiaoxuan273 wants to merge 12 commits intooras-project:mainfrom
Conversation
Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #321 +/- ##
=======================================
Coverage 91.76% 91.76%
=======================================
Files 64 64
Lines 2755 2755
Branches 364 364
=======================================
Hits 2528 2528
Misses 138 138
Partials 89 89 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR adds documentation and example code demonstrating how to authenticate with Azure Container Registry (ACR) using Azure Active Directory (AAD) credentials in the ORAS .NET library.
Changes:
- Added
AzureCredentialProviderclass implementingICredentialProviderfor ACR authentication via AAD token exchange - Added
AzureContainerRegistryAuthenticationexample demonstrating ACR authentication and cross-registry copy operations - Added Azure SDK dependencies (
Azure.Containers.ContainerRegistry1.3.0,Azure.Identity1.13.1) - Updated API documentation index to include the new ACR authentication example
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/OrasProject.Oras.Tests/examples/AzureCredentialProvider.cs | Implements ICredentialProvider for ACR authentication using Azure DefaultAzureCredential and AAD token exchange |
| tests/OrasProject.Oras.Tests/examples/AzureContainerRegistryAuthentication.cs | Demonstrates usage of AzureCredentialProvider for cross-registry artifact copy operations |
| tests/OrasProject.Oras.Tests/OrasProject.Oras.Tests.csproj | Adds Azure SDK package references for ACR and Azure Identity support |
| docs/api/index.md | Adds link to the new ACR authentication documentation |
| docs/api/authenticate_with_ACR.md | Documentation page that includes the ACR authentication examples |
tests/OrasProject.Oras.Tests/examples/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
tests/OrasProject.Oras.Tests/examples/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
tests/OrasProject.Oras.Tests/examples/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
tests/OrasProject.Oras.Tests/examples/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
examples/OrasProject.Oras.Examples.Azure/AzureContainerRegistryAuthentication.cs
Show resolved
Hide resolved
tests/OrasProject.Oras.Tests/examples/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
tests/OrasProject.Oras.Tests/examples/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
tests/OrasProject.Oras.Tests/examples/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>
| private string _aadToken { get; set; } = string.Empty; | ||
| private Credential _credential { get; set; } = new Credential(); | ||
| private DateTimeOffset _tokenExpiry { get; set; } = DateTimeOffset.MinValue; | ||
| private ContainerRegistryClient _crClient { get; set; } = new ContainerRegistryClient(new Uri($"https://{host}")); |
There was a problem hiding this comment.
This is cloud specific implementation. I would rename this as _acrClient. _crClient makes its look like a generic client.
| namespace OrasProject.Oras.Tests.Examples; | ||
|
|
||
| // This is an example implementation of AzureCredentialProvider, which | ||
| // can be used to authenticate with Azure Container Registry. It implements |
There was a problem hiding this comment.
Call out that its using DefaultAzureCredential with the fully qualified type name using cref.
Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>
Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>
examples/OrasProject.Oras.Examples.Azure/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>
examples/OrasProject.Oras.Examples.Azure/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>
examples/OrasProject.Oras.Examples.Azure/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>
|
|
||
| [Push an artifact to a remote repository](./push_artifact.md) | ||
|
|
||
| [Authenticate with Azure Container Registry](./authenticate_with_ACR.md) No newline at end of file |
There was a problem hiding this comment.
nit: We might want to put it in a new section called "Cloud-specific Examples" or something like that
There was a problem hiding this comment.
Added a new section "Cloud-specific Examples"
examples/OrasProject.Oras.Examples.Azure/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
examples/OrasProject.Oras.Examples.Azure/AzureCredentialProvider.cs
Outdated
Show resolved
Hide resolved
Signed-off-by: Xiaoxuan Wang <wangxiaoxuan119@gmail.com>
| if (string.IsNullOrEmpty(hostname)) | ||
| { | ||
| throw new ArgumentException("Hostname cannot be null or empty.", nameof(hostname)); | ||
| } | ||
|
|
||
| if (hostname != Host) | ||
| { | ||
| throw new ArgumentException($"Hostname '{hostname}' does not match the expected host '{Host}'.", nameof(hostname)); | ||
| } |
There was a problem hiding this comment.
ResolveCredentialAsync throws when hostname doesn’t match Host and compares with a case-sensitive !=. In this codebase, ICredentialProvider implementations return an empty credential for non-matching registries (see SingleRegistryCredentialProvider in src/OrasProject.Oras/Registry/Remote/Auth/SingleRegistryCredentialProvider.cs:75-89), and hostnames should be compared case-insensitively. Consider returning CredentialExtensions.EmptyCredential (or new Credential()) when the hostname doesn’t match, and using string.Equals(..., StringComparison.OrdinalIgnoreCase) (also use IsNullOrWhiteSpace for validation to match existing patterns).
| public static class AzureContainerRegistryAuthentication | ||
| { | ||
| // This example demonstrates how to use the ICredentialProvider interface to | ||
| // authenticate with Azure Container Registry, and perform a copy operation | ||
| // between two ACR repositories. | ||
| // For production use: Implement proper exception handling, cancellation, and dependency injection. | ||
| public static async Task AuthenticateWithAzureContainerRegistry() | ||
| { |
There was a problem hiding this comment.
This is an async method but its name doesn’t use the Async suffix, and it also omits a trailing optional CancellationToken parameter. Repo guideline is that async methods should end with Async and CancellationToken should be last with a default value; updating the example keeps it consistent with the rest of the codebase.
| var httpClient = new HttpClient(); | ||
|
|
There was a problem hiding this comment.
HttpClient is instantiated but never disposed. Even in examples, prefer using var httpClient = new HttpClient(); (or pass an injected/shared HttpClient) to avoid socket exhaustion and to model the recommended usage pattern.
What this PR does / why we need it
This PR adds an example of using oras-dotnet to authenticate with Azure Container Registry.
Which issue(s) this PR resolves / fixes
Resolves / Fixes #267
Please check the following list