Docker Hub API v2 令牌身份验证问题
Docker Hub API v2 token authentication issue
目前,我正在开发一个非常轻量级的 Docker 容器编排器,我必须能够从 public Docker Hub 注册表中获取图像摘要。为此,我想使用 Docker Registry API v2。
我正在尝试使用以下 API 调用获取授权令牌:
curl https://auth.docker.io/token?service=index.docker.io&scope=repository:alpine:pull
... 我收到如下回复:
{"token":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJpbmRleC5kb2NrZXIuaW8iLCJleHAiOjE0NzQ1NDcyODMsImlhdCI6MTQ3NDU0Njk4MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzVTdCazF4dm9CLVA0MGJWVF9JSiIsIm5iZiI6MTQ3NDU0Njk4Mywic3ViIjoiIn0.516fS692WGHNi5Sc44iB8OFSLairrM6n1zNvVo5KXAxlsxsP4rE7VDmW5d0YqvTYeKfZAYIi9yEptx4xJlQ6DA"}
似乎一切正常,我正在尝试将获得的令牌用于我的下一个 API 调用:
curl -i -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJpbmRleC5kb2NrZXIuaW8iLCJleHAiOjE0NzQ1NDcyODMsImlhdCI6MTQ3NDU0Njk4MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzVTdCazF4dm9CLVA0MGJWVF9JSiIsIm5iZiI6MTQ3NDU0Njk4Mywic3ViIjoiIn0.516fS692WGHNi5Sc44iB8OFSLairrM6n1zNvVo5KXAxlsxsP4rE7VDmW5d0YqvTYeKfZAYIi9yEptx4xJlQ6DA" https://index.docker.io/v2/alpine/manifests/latest
...这是我得到的:
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:alpine:pull",error="invalid_token"
Date: Thu, 22 Sep 2016 12:27:54 GMT
Content-Length: 138
Strict-Transport-Security: max-age=31536000
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Name":"alpine","Action":"pull"}]}]}
有人知道为什么令牌认证对于如此简单的流程会失败吗?
Www-Authenticate header 中的响应试图告诉您您需要什么,尽管它可能更有帮助。
第一件事:你想要的service是registry.docker.io。
第二件事:scope 中的存储库名称不完整。 Official repositories 只有一个 single-part 名称,如 CLI 的 alpine,但在注册表中它被正确地称为 library/alpine。
因此您的令牌请求应该是:
curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/alpine:pull"
然后你的图片请求是:
curl --header "Authorization: Bearer eyJh..." https://index.docker.io/v2/library/alpine/manifests/latest
然后您会收到回复。
目前,我正在开发一个非常轻量级的 Docker 容器编排器,我必须能够从 public Docker Hub 注册表中获取图像摘要。为此,我想使用 Docker Registry API v2。
我正在尝试使用以下 API 调用获取授权令牌:
curl https://auth.docker.io/token?service=index.docker.io&scope=repository:alpine:pull
... 我收到如下回复:
{"token":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJpbmRleC5kb2NrZXIuaW8iLCJleHAiOjE0NzQ1NDcyODMsImlhdCI6MTQ3NDU0Njk4MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzVTdCazF4dm9CLVA0MGJWVF9JSiIsIm5iZiI6MTQ3NDU0Njk4Mywic3ViIjoiIn0.516fS692WGHNi5Sc44iB8OFSLairrM6n1zNvVo5KXAxlsxsP4rE7VDmW5d0YqvTYeKfZAYIi9yEptx4xJlQ6DA"}
似乎一切正常,我正在尝试将获得的令牌用于我的下一个 API 调用:
curl -i -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJpbmRleC5kb2NrZXIuaW8iLCJleHAiOjE0NzQ1NDcyODMsImlhdCI6MTQ3NDU0Njk4MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzVTdCazF4dm9CLVA0MGJWVF9JSiIsIm5iZiI6MTQ3NDU0Njk4Mywic3ViIjoiIn0.516fS692WGHNi5Sc44iB8OFSLairrM6n1zNvVo5KXAxlsxsP4rE7VDmW5d0YqvTYeKfZAYIi9yEptx4xJlQ6DA" https://index.docker.io/v2/alpine/manifests/latest
...这是我得到的:
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:alpine:pull",error="invalid_token"
Date: Thu, 22 Sep 2016 12:27:54 GMT
Content-Length: 138
Strict-Transport-Security: max-age=31536000
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Name":"alpine","Action":"pull"}]}]}
有人知道为什么令牌认证对于如此简单的流程会失败吗?
Www-Authenticate header 中的响应试图告诉您您需要什么,尽管它可能更有帮助。
第一件事:你想要的service是registry.docker.io。
第二件事:scope 中的存储库名称不完整。 Official repositories 只有一个 single-part 名称,如 CLI 的 alpine,但在注册表中它被正确地称为 library/alpine。
因此您的令牌请求应该是:
curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/alpine:pull"
然后你的图片请求是:
curl --header "Authorization: Bearer eyJh..." https://index.docker.io/v2/library/alpine/manifests/latest
然后您会收到回复。