CLI Cient Authentication #9
Comments
|
OK. I'm having issues, but I the
NOTE: This token (at least by default) expires in 300 seconds. Perhaps the simplest way to handle this is to get a new token (and pass it to the client) for each Docker CLI call. |
|
The same question was asked here. I've replied to see if I can solicit a response from the original poster or community. |
|
Created an issue on the docker repo. |
|
I finally resolved the bearer token issue. It was an authentication issue when requesting the token that was causing an empty I'm going to work up some code that obtains and relays a token to the client. Once I get it working, I'll provide it here so you can consider running something comparable before the relevant CLI calls. |
|
TL;DR the docker folks recommend logging in on the target or logging in locally and pushing the docker conf file to the target. After resolving all of these bearer token issues, I learned that Bearer tokens cannot be manually injected into the CLI. The "long-lived refresh tokens" that are supposed to fill this role are also unsupported. Finally, there's a credential manager option, but it doesn't sound like it adds much for the (considerable) trouble. The full exchange can be found on the docker ticket. I don't think it's a good idea to automatically distribute a user's credentials (the docker conf strategy does this). Instead, I think it makes sense to document the limitation and wait until long lived refresh tokens are an option. |
The CLI introduces an extra wrinkle when it comes to authentication. Since we're not using the API, our local credentials doesn't get used by the client. Obviously, the simplest solution is to
docker loginon the client side, but that leaves a password hash in.docker/config.jsonso I'm trying to figure out if we can use the token infrastructure with the CLI.The text was updated successfully, but these errors were encountered: