Why is Bearer authn special

[mottetm]

Hey there!

Just wanted to understand why the bearer authentication scheme has a special status? By special status, I mean that if enabled, it is the only authn method that can be used (authn.go#L58-L60). I was hoping to be able to have anonymous read-only access to the registry and pushes protected by a bearer token but with the current setup, it is not possible. Is there a reason behind this design decision?

[andaaron]

Hi, it is unclear to me how clients would work if the server is sending 2 separate WWW-Authenticate headers, one for Bearer, one for Basic.
That's why it is separate from the Basic authentication.

With regards to anonymous, given the discussion/findings discussed in #2928, for other registries such as Dockerhub, even anonymous uses a bearer token (we'd still need some customization to make that work though).

[mottetm]

I completely understand that supporting more than one type of authentication is can of worms that one might not want to open. That being said, I'm not sure that requiring anonymous bearer token is necessarily the best way forward 🤔 If we go back to the spec, specifically what concerns the /v2/ endpoint, we have for the unauthorized access:

If a 401 Unauthorized response is returned, the client should take action based on the contents of the “WWW-Authenticate” header and try the endpoint again. Depending on access control setup, the client may still have to authenticate against different resources, even if this check succeeds.

It would be perfectly compliant to return a 200 OK on a call to /v2/ without token if anonymous access is enabled on some paths and to later return a WWW-Authenticate header when trying to access protected resources. Not sure that Harbor also does it that way is the correct argument in that specific question.

In any case, I would love to take a shot at it with a PR if that's a direction the project would be interested to take but I also understand if it's not the case 🙂

[rchincha]

@mottetm what client are you using?
AFAIK, HTTP rfcs allow for multiple Authorization headers, however OCI dist-spec is not clear on handling this on registry side.
But do give us a PR.

[mottetm]

The tooling that we are using is using crane internally. Let me give it a try when I have some free time.

[andaaron]

This needs to be experimented with as well It would be perfectly compliant to return a 200 OK on a call to /v2/ without token if anonymous access is enabled.