OAuth2 flow fails against docker trusted registry (missing client_id)

[apwil]

Description of the issue:

When pulling/pushing to a docker trusted registry, authentication fails with error:
400 Bad Request {"details":"invalid client ID"}

Docker registry (DTR) requires a client_id parameter to be passed with the refresh_token when making a login request.

From
https://docs.docker.com/registry/spec/auth/oauth/

client_id
(REQUIRED) String identifying the client. This client_id does not need to be registered with the authorization server but should be set to a meaningful value in order to allow auditing keys created by unregistered clients. Accepted syntax is defined in RFC6749 Appendix A.1

Expected behavior:
It should be possible to pull a base image from an internal docker registry (DTR) using OAuth2 authentication flow.

Steps to reproduce:

• Modify base image to pull from a docker trusted registry (https://docs.docker.com/datacenter/dtr/2.1/guides/)
• Login to registry
  Observe that the login is stored as an OAuth token

docker-credential-wincred list
{"internalregistry":"\u003ctoken\u003e"}

• Run mvn jib:dockerBuild
  Build fails with error:
  Unauthorized for internalregistry/base/custom-base-image: 400 Bad Request
  [ERROR] {"details":"invalid client ID"}

Environment:
jib-maven-plugin 1.0.2
maven 3.5.0
jdk 1.8.0_131

jib-maven-plugin Configuration:

<from>
   <image>internalregistry/base/custom-base-image</image>
</from>

Log output:
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.0.2:dockerBuild (default-cli) on project my-project Build to Docker daemon failed, perhaps you should set a credential helper name with the configuration '' or set credentials for 'internalregistry' in your Maven settings: Unauthorized for internalregistry/base/custom-base-image: 400 Bad Request
[ERROR] {"details":"invalid client ID"}

[apwil]

Note that the following fix:

@@ -269,7 +269,7 @@ public class RegistryAuthenticator {
     String serviceScope = getServiceScopeRequestParameters(scope);
     return isOAuth2Auth()
         ? serviceScope
-            + "&grant_type=refresh_token&refresh_token="
+            + "&client_id=jib&grant_type=refresh_token&refresh_token="
             // If OAuth2, credential.getPassword() is a refresh token.
             + Verify.verifyNotNull(credential).getPassword()
         : serviceScope;

Fixes this issue for me, but I imagine it might cause problems with other OAuth2 endpoints. Does anyone know if ACR (for example) will be affected by a dummy client_id in the request?

[chanseokoh]

Aha! Thanks @apwil for the detailed information and a pointer for a potential fix.

Since the spec says client_id is required, I think Jib should provide it in principle. The spec says the client doesn't have to registered with the auth server. Sounds like it can be an arbitrary (meaningful) value for auditing purposes, so hopefully ACR won't be affected. @andxu it'd be nice if you can confirm if passing client_id=jib works with ACR.

[andxu]

@chanseokoh I have tested your PR over ACR, it passes.

[apwil]

Thanks @chanseokoh for the very quick turnaround of this issue!
I see that it is targeted for 1.1.0 - would it be possibly to have it in a 1.0.3 release given that it completes the work done in #1490 ?

[chanseokoh]

@apwil Jib 1.1.0 with the fix released.