[keycloak-dev] Docker Protocol?

Josh Cain josh.cain at redhat.com
Mon Aug 15 10:41:10 EDT 2016 

Hi Stian,

Docker's auth V2 (docs link above) is Oauth-ish, but doesn't seem to
conform 100% to the specification.  I started by just trying to stand up an
OIDC endpoint to talk to docker and Keycloak threw a "Missing parameters:
response_type" error.  Turns out, Docker sends the GET request like this:

/auth/realms/redhat-external/protocol/docker-v2/auth?account=jcain&scope=repository%3Acentos%3Apull&service=docker-registry

Not only is the request missing the request_typer paremeter, but Docker
uses different nomenclature than the OAuth/OIDC standard.  For instance, I
would expect the 'service' param to appear as the client_id param to
conform to the OAuth spec.

Since it uses different nomenclature, I thought it would be a much cleaner
implementation to just implement it as its own protocol.  Didn't want to
muddy up a clean OIDC/OAuth implemention.

Are there workarounds to deal with these differences that I'm missing?


Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735

On Mon, Aug 15, 2016 at 5:56 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I'm not sure I fully understand. Are you using a Docker client to
> authenticate with Keycloak? That works with the standard OIDC flows, but it
> requires some additional claims in the token which you are adding with a
> protocol mapper?
>
> On 12 August 2016 at 15:31, Josh Cain <josh.cain at redhat.com> wrote:
>
>> Hi All,
>>
>> We want to use Keycloak as the IDP/Token issuer for authentication with a
>> docker registry as per the specification found here:
>>
>> https://docs.docker.com/registry/spec/auth/
>>
>> I've implemented a Protocol Mapper in Keycloak that successfully uses the
>> IDP to perform a login against a registry/docker client.  Is this something
>> that the team is interested in building into the product?  If so, I'd be
>> happy to push back upstream.
>>
>> Josh Cain | Software Applications Engineer
>> *Identity and Access Management*
>> *Red Hat*
>> +1 843-737-1735
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160815/b067fa85/attachment.html

More information about the keycloak-dev mailing list