docker-registry-ui and keyloak auth

[vitalybrandes]

Is there any additional auth modules except basic-realm ?
I am running registry with keycloak SSO and it will be great if i can login to UI with the same user.

Now , when i am trying to setup both, keyloack and basic-realm, i got issue with Registry (cannot login) as well with UI , can not login.
maybe any workaround?
my docker-compose file;

registry:
    image: "registry:2.7.1"
    ports:
      - "5000:5000"
    restart: "always"
    volumes:
      - ./config/certs:/opt/certs:z
      - ./data/registry:/data:z
      - ./config/settings/credentials.yml:/etc/docker/registry/config.yml
      - ./config/settings/htpasswd/htpasswd:/etc/docker/registry/htpasswd
    environment:
      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
      REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /opt/certs/registry_trust_chain.pem
      REGISTRY_AUTH_TOKEN_REALM: http://localhost:8011/auth/realms/docker-registry/protocol/docker-v2/auth
      REGISTRY_AUTH_TOKEN_SERVICE: docker-registry
      REGISTRY_AUTH_TOKEN_ISSUER: http://localhost:8011/auth/realms/docker-registry
    networks: 
      - proxy

  ui:
    image: joxit/docker-registry-ui:static
    ports:
      - 8009:80
    environment:
      - REGISTRY_TITLE=Dip-Tech Docker Registry
      - URL=http://localhost:5000
    depends_on:
      - registry
    networks: 
      - proxy

[vitalybrandes]

change the auth on config.yml file to:

auth:
  token:
    autoredirect: true
    realm: http://localhost:8011/auth/realms/docker-registry/protocol/docker-v2/auth
    service: docker-registry
    issuer: http://localhost:8011/auth/realms/docker-registry
    rootcertbundle: /opt/certs/registry_trust_chain.pem

get error from the UI:
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}

login to registry:5000 ok using keyloak as auth realm.

Is it that docker-registry-ui not support token auth???

[Joxit]

Hi, the UI is not compatible with OAuth, only basic-auth is supported.

This may require a lot of development. But I could try to do it on my free time.

[vitalybrandes]

Hi, the UI is not compatible with OAuth, only basic-auth is supported.

This may require a lot of development. But I could try to do it on my free time.
@Joxit thank you for reply,

Can i some how auth registry with keyloack and UI (readonly) with basic-auth?

[Joxit]

I don't think so

The auth option is optional. Possible auth providers include:

• silly
• token
• htpasswd
• [none]

You can configure only one authentication provider.

From docker registry documentation

It seems like this token auth is a custom protocol (flag in keycloak) 😢

[vitalybrandes]

I don't think so

The auth option is optional. Possible auth providers include:

• silly
• token
• htpasswd
• [none]

You can configure only one authentication provider.

From docker registry documentation

It seems like this token auth is a custom protocol (flag in keycloak) 😢

I do authenticate registry with keyloack using token and its ok.
The problem that i can not login to UI, as UI working with basic-auth.
I am wondering how can i make it works , anyhow....

[volschin]

The Docker-registry-ui image is based on nginx. How to integrate nginx with keycloak you can read here
https://developers.redhat.com/blog/2018/10/08/configuring-nginx-keycloak-oauth-oidc/

[Joxit]

@vitalybrandes I did some research and I think I will be able to add this feature in a near future (keycloak token auth with private registry)

@volschin This is really working with both the registry and the UI ?

[volschin]

Don't know. What I want to make clear, this is nothing working out of the box. IIRC this is also part of nginx plus.

[vitalybrandes]

@vitalybrandes I did some research and I think I will be able to add this feature in a near future (keycloak token auth with private registry)

@volschin This is really working with both the registry and the UI ?
It will be great!
Thanks 👍

[StWiemann]

Hi Joxit, great work! I would be interested in something like that as well.
I am running a private registry in Kubernetes with an external Keycloak-IdM for multiple services. It would be neat to have only one User-Management for everything.

If all this is old news to you, my appologies:

I think you would need to use the docker-v2 client-protocol with Keycloak.
If I can provide any help with this, please let me know.

To get an Access-Token for the docker-registry from Keycloak is rather easy and looks something like this:

curl https://keycloak.example/auth/realms/{REALM}/protocol/docker-v2/auth?service={CLIENT-NAME}&scope=registry:catalog:* \
--header "Authorization: Basic {b64 user:password}"

Keycloak answers with an Access-Token (which usually has a life-span of 5 Minutes), which can be used to query the registry with an Authorization: Bearer {Token} Header.

Keycloak does not offer the refresh_token functionality described in docs.docker so most likely you would GET the Access-Token frequently to prevent invalid authentication. And I even think that Keycloak only permits "Basic Auth" with the docker-protocol.

So it is a bit messy but the only way to implement external authentication for the UI I could think of would be a specific Keycloak-User for the UI and some kind of Oauth-Proxy in front of the whole thing, which would be up to the user to deploy...

Edit: Or of course a login-form to provide your own Keycloak credentials to query the catalog. :)

[Joxit]

Hi @StWiemann, thank you for your message 😄 this work is a part of my 2.0.0 milestone

I started to work on this in #167 but this was delayed with #176 which was longer than expected but I just finished it 😄

Next features will be #122 and #176 😉

[Joxit]

Hum.... I did some work on this issue, and it seems like this protocol is not suitable for this use.

The token can be use for only one resource/scope. That means if the scope is registry:catalog:* you will see the full catalog.
But when you will click on a specific image, the scope will change, for example an image named alpine, the scope will be repository:alpine:pull. For an image named debian the scope will be repository:debian:pull etc.

I have three issues with this:

1. The previous token for catalog will not work (401 Unauthorized)
2. I can't generate a token that will match all images (e.g alpine, debian....)
3. I can't generate a token each time because for that it would be necessary to do:
   1. Save the username:password in localstorage/cookie => Security issue
   2. Save the password in memory and ask after each page refresh => Annoying, but still the best option...

This works fine with the docker client because the password is saved on the disk.... But in our case 😨

[Joxit]

Will be release in 2.0.0 🚀