[27.x backport] auth: add support for oauth device-code login #5349
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
laurazard
changed the title
laurazard
changed the title
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 27.x #5349 +/- ##
==========================================
+ Coverage 61.49% 61.55% +0.05%
==========================================
Files 299 303 +4
Lines 20869 21135 +266
==========================================
+ Hits 12834 13009 +175
- Misses 7120 7197 +77
- Partials 915 929 +14 |
This commit adds support for the oauth [device-code](https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow) login flow when authenticating against the official registry. This is achieved by adding `cli/internal/oauth`, which contains code to manage interacting with the Docker OAuth tenant (`login.docker.com`), including launching the device-code flow, refreshing access using the refresh-token, and logging out. The `OAuthManager` introduced here is also made available through the `command.Cli` interface method `OAuthManager()`. In order to maintain compatibility with any clients manually accessing the credentials through `~/.docker/config.json` or via credential helpers, the added `OAuthManager` uses the retrieved access token to automatically generate a PAT with Hub, and store that in the credentials. Signed-off-by: Laura Brehm <[email protected]> (cherry picked from commit fcfdd7b) Signed-off-by: Laura Brehm <[email protected]>
Signed-off-by: Laura Brehm <[email protected]> (cherry picked from commit 6e4818e) Signed-off-by: Laura Brehm <[email protected]>
Signed-off-by: Laura Brehm <[email protected]> (cherry picked from commit e662467) Signed-off-by: Laura Brehm <[email protected]>
Signed-off-by: Laura Brehm <[email protected]> (cherry picked from commit c3fe7bc) Signed-off-by: Laura Brehm <[email protected]>
laurazard
force-pushed
the
27.x-backport-oauth-login
branch
from
b72a735
to
ad7912a
Compare
|
Done @vvoland, please check if that looks good :') |
renovate bot
added a commit
to earthly/dind
that referenced
this pull request
Sep 2, 2024
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/docker](https://redirect.github.com/docker/docker) | minor | `27.1.2` -> `27.2.0` | --- ### Release Notes <details> <summary>docker/docker (docker/docker)</summary> ### [`v27.2.0`](https://redirect.github.com/moby/moby/releases/tag/v27.2.0) [Compare Source](https://redirect.github.com/docker/docker/compare/v27.1.2...v27.2.0-rc.1) #### 27.2.0 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 27.2.0 milestone](https://redirect.github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A27.2.0) - [moby/moby, 27.2.0 milestone](https://redirect.github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A27.2.0) - Deprecated and removed features, see [Deprecated Features](https://redirect.github.com/docker/cli/blob/v27.2.0/docs/deprecated.md). - Changes to the Engine API, see [API version history](https://redirect.github.com/moby/moby/blob/v27.2.0/docs/api/version-history.md). ##### New - CLI: Add support for device-code flow login when authenticating to the official registry. [docker/cli#5349](https://redirect.github.com/docker/cli/pull/5349) - containerd image store: `docker image ls` now supports `--tree` flag that shows a multiplatform-aware image list. This is experimental and may change at any time without any backwards compatibility. [docker/cli#5353](https://redirect.github.com/docker/cli/pull/5353) ##### API - `GET /images/json` response now includes `Manifests` field, which contains information about the sub-manifests included in the image index. This includes things like platform-specific manifests and build attestations. The new field will only be populated if the request also sets the `manifests` query parameter to `true`. > \[!WARNING] > > This is experimental and may change at any time without any backward compatibility. ##### Bug fixes and enhancements - CLI: Fix issue with remote contexts over SSH where the CLI would allocate a pseudoterminal when connecting to the remote host, which causes issues in rare situations. [docker/cli#5351](https://redirect.github.com/docker/cli/pull/5351) - Fix an issue that prevented network creation with a `--ip-range` ending on a 64-bit boundary. [moby/moby#48326](https://redirect.github.com/moby/moby/pull/48326) - CLI: IPv6 addresses shown by `docker ps` in port bindings are now bracketed. [docker/cli#5365](https://redirect.github.com/docker/cli/pull/5365) - containerd image store: Fix early error exit from `docker load` in cases where unpacking the image would fail. [moby/moby#48376](https://redirect.github.com/moby/moby/pull/48376) - containerd image store: Fix the previous image not being persisted as dangling after `docker pull`. [moby/moby#48380](https://redirect.github.com/moby/moby/pull/48380) ##### Packaging updates - Update BuildKit to [v0.15.2](https://redirect.github.com/moby/buildkit/releases/tag/v0.15.2). [moby/moby#48341](https://redirect.github.com/moby/moby/pull/48341) - Update Compose to [v2.29.2](https://redirect.github.com/docker/compose/releases/tag/v2.29.2). [docker/docker-ce-packaging#1050](https://redirect.github.com/docker/docker-ce-packaging/pull/1050) - The canonical source for the dockerd(8) man page has been moved back to the same source tree as dockerd itself. [moby/moby#48378](https://redirect.github.com/moby/moby/pull/48378) - Update containerd to [v1.7.21](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.21). [moby/moby#48383](https://redirect.github.com/moby/moby/pull/48383), [docker/containerd-packaging#389](https://redirect.github.com/docker/containerd-packaging/pull/389) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/earthly/dind). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot
added a commit
to earthly/dind
that referenced
this pull request
Sep 2, 2024
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/docker](https://redirect.github.com/docker/docker) | minor | `27.1.2` -> `27.2.0` | --- ### Release Notes <details> <summary>docker/docker (docker/docker)</summary> ### [`v27.2.0`](https://redirect.github.com/moby/moby/releases/tag/v27.2.0) [Compare Source](https://redirect.github.com/docker/docker/compare/v27.1.2...v27.2.0-rc.1) #### 27.2.0 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 27.2.0 milestone](https://redirect.github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A27.2.0) - [moby/moby, 27.2.0 milestone](https://redirect.github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A27.2.0) - Deprecated and removed features, see [Deprecated Features](https://redirect.github.com/docker/cli/blob/v27.2.0/docs/deprecated.md). - Changes to the Engine API, see [API version history](https://redirect.github.com/moby/moby/blob/v27.2.0/docs/api/version-history.md). ##### New - CLI: Add support for device-code flow login when authenticating to the official registry. [docker/cli#5349](https://redirect.github.com/docker/cli/pull/5349) - containerd image store: `docker image ls` now supports `--tree` flag that shows a multiplatform-aware image list. This is experimental and may change at any time without any backwards compatibility. [docker/cli#5353](https://redirect.github.com/docker/cli/pull/5353) ##### API - `GET /images/json` response now includes `Manifests` field, which contains information about the sub-manifests included in the image index. This includes things like platform-specific manifests and build attestations. The new field will only be populated if the request also sets the `manifests` query parameter to `true`. > \[!WARNING] > > This is experimental and may change at any time without any backward compatibility. ##### Bug fixes and enhancements - CLI: Fix issue with remote contexts over SSH where the CLI would allocate a pseudoterminal when connecting to the remote host, which causes issues in rare situations. [docker/cli#5351](https://redirect.github.com/docker/cli/pull/5351) - Fix an issue that prevented network creation with a `--ip-range` ending on a 64-bit boundary. [moby/moby#48326](https://redirect.github.com/moby/moby/pull/48326) - CLI: IPv6 addresses shown by `docker ps` in port bindings are now bracketed. [docker/cli#5365](https://redirect.github.com/docker/cli/pull/5365) - containerd image store: Fix early error exit from `docker load` in cases where unpacking the image would fail. [moby/moby#48376](https://redirect.github.com/moby/moby/pull/48376) - containerd image store: Fix the previous image not being persisted as dangling after `docker pull`. [moby/moby#48380](https://redirect.github.com/moby/moby/pull/48380) ##### Packaging updates - Update BuildKit to [v0.15.2](https://redirect.github.com/moby/buildkit/releases/tag/v0.15.2). [moby/moby#48341](https://redirect.github.com/moby/moby/pull/48341) - Update Compose to [v2.29.2](https://redirect.github.com/docker/compose/releases/tag/v2.29.2). [docker/docker-ce-packaging#1050](https://redirect.github.com/docker/docker-ce-packaging/pull/1050) - The canonical source for the dockerd(8) man page has been moved back to the same source tree as dockerd itself. [moby/moby#48378](https://redirect.github.com/moby/moby/pull/48378) - Update containerd to [v1.7.21](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.21). [moby/moby#48383](https://redirect.github.com/moby/moby/pull/48383), [docker/containerd-packaging#389](https://redirect.github.com/docker/containerd-packaging/pull/389) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/earthly/dind). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backports: #5344
Includes:
I didn't include 5eb3275, as that would only make sense with ab80ea3. (But maybe it does make sense to backport both of those).
- Description for the changelog