<div dir="ltr"><div><div><div><div>Hi Stian,<br><br></div>Docker's auth V2 (docs link above) is Oauth-ish, but doesn't seem to conform 100% to the specification. I started by just trying to stand up an OIDC endpoint to talk to docker and Keycloak threw a "Missing parameters: response_type" error. Turns out, Docker sends the GET request like this: <br><br>/auth/realms/redhat-external/protocol/docker-v2/auth?account=jcain&scope=repository%3Acentos%3Apull&service=docker-registry<br><br></div>Not only is the request missing the request_typer paremeter, but Docker uses different nomenclature than the OAuth/OIDC standard. For instance, I would expect the 'service' param to appear as the client_id param to conform to the OAuth spec.<br><br></div>Since it uses different nomenclature, I thought it would be a much cleaner implementation to just implement it as its own protocol. Didn't want to muddy up a clean OIDC/OAuth implemention.<br><br></div>Are there workarounds to deal with these differences that I'm missing?<br><div><div><div><br></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div><div>Josh Cain | Software Applications Engineer<br></div><i>Identity and Access Management</i><br></div><b>Red Hat</b><br>+1 843-737-1735<br></span></div></div></div>
<br><div class="gmail_quote">On Mon, Aug 15, 2016 at 5:56 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm not sure I fully understand. Are you using a Docker client to authenticate with Keycloak? That works with the standard OIDC flows, but it requires some additional claims in the token which you are adding with a protocol mapper?</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On 12 August 2016 at 15:31, Josh Cain <span dir="ltr"><<a href="mailto:josh.cain@redhat.com" target="_blank">josh.cain@redhat.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div><div>Hi All,<br><br></div>We want to use Keycloak as the IDP/Token issuer for authentication with a docker registry as per the specification found here:<br><br><a href="https://docs.docker.com/registry/spec/auth/" target="_blank">https://docs.docker.com/regist<wbr>ry/spec/auth/</a> <br><br></div>I've implemented a Protocol Mapper in Keycloak that successfully uses the IDP to perform a login against a registry/docker client. Is this something that the team is interested in building into the product? If so, I'd be happy to push back upstream.<span><font color="#888888"><br><div><div><div><br clear="all"><div><div data-smartmail="gmail_signature"><div dir="ltr"><span><div><div>Josh Cain | Software Applications Engineer<br></div><i>Identity and Access Management</i><br></div><b>Red Hat</b><br><a href="tel:%2B1%20843-737-1735" value="+18437371735" target="_blank">+1 843-737-1735</a><br></span></div></div></div>
</div></div></div></font></span></div>
<br></div></div><span class="">______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/keycloak-dev</a><br></span></blockquote></div><br></div>
</blockquote></div><br></div>