-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker login 使用oidc用户登录 Error response from daemon: Get "https://harbor.bd.test.lanrui-ai.com/v2/": unauthorized: authentication required #20051
Comments
The detailed error log of harbor-core is as follows: 2024-02-28T09:16:29Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 688deb6d-c302-4e09-8c64-e5cb5c070492 to the logger for the request GET /v2/
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /v2/
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="688deb6d-c302-4e09-8c64-e5cb5c070492"]: an unauthorized security context generated for request GET /v2/
2024-02-28T09:16:29Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized: unauthorized"}]}
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 7d9431c8-50ce-4112-9d8b-541974d13d00 to the logger for the request GET /service/token
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /service/token?account=perftest7&client_id=docker&offline_token=true&service=harbor-registry
2024-02-28T09:16:29Z [DEBUG] [/pkg/oidc/secret.go:87]: Verifying the secret for user: perftest7
2024-02-28T09:16:29Z [DEBUG] [/pkg/oidc/secret.go:116]: Refreshing token
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_groups_claim, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_admin_group, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_groups_claim, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_admin_group, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_groups_claim, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_admin_group, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [ERROR] [/server/middleware/security/oidc_cli.go:68][requestID="7d9431c8-50ce-4112-9d8b-541974d13d00"]: failed to verify secret, username: perftest7, error: failed to refresh token, username: perftest7, error: oauth2: "error: grant_type: refresh_token is not supported in this application"
2024-02-28T09:16:29Z [DEBUG] [/core/auth/authenticator.go:145]: Current AUTH_MODE is oidc_auth
2024-02-28T09:16:29Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="116.236.195.166, 172.25.0.11" requestID="7d9431c8-50ce-4112-9d8b-541974d13d00" user agent="docker/20.10.10 go/go1.16.9 git-commit/e2f740d kernel/5.10.47-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.10 \(darwin\))"]: failed to authenticate user:perftest7, error:not supported
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="7d9431c8-50ce-4112-9d8b-541974d13d00"]: an unauthorized security context generated for request GET /service/token
2024-02-28T09:16:29Z [DEBUG] [/core/service/token/token.go:37]: URL for token request: /service/token?account=perftest7&client_id=docker&offline_token=true&service=harbor-registry
|
I think I am having the same issue with Okta, although this happens to me even using Robot Accounts. Which I thought had nothing to do with the upstream IdP and locally issued... or not? |
This comes up when I try with a Robot Account |
I traced my issue to this #20080, not sure you are having the same issue or not... |
When login with cli, you should login with the OIDC cli secret, not the OIDC username/password. |
@stonezdj |
I'm not sure if it has something to do with my upgrade from harbor-2.5 to harbor-2.10 |
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days. |
I use casdoor as oidc provider.
I found that some users can login in to docker normally, but some users cannot.
For those users who cannot login in using docker, I can login in using docker login again after logging in through the harbor browser console, but they cannot login in again after the token expiration time.
My harbor oidc configuration is as follows:
Docker login error is as follows:
Error response from daemon: Get "https://harbor.example.com/v2/": unauthorized: authentication required
The error log of harbor-core is as follows:
The text was updated successfully, but these errors were encountered: