Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker login 使用oidc用户登录 Error response from daemon: Get "https://harbor.bd.test.lanrui-ai.com/v2/": unauthorized: authentication required #20051

Open
cywang4 opened this issue Feb 28, 2024 · 8 comments
Open

docker login 使用oidc用户登录 Error response from daemon: Get "https://harbor.bd.test.lanrui-ai.com/v2/": unauthorized: authentication required #20051

cywang4 opened this issue Feb 28, 2024 · 8 comments
Assignees
@stonezdj
Labels
area/oidc Stale

Comments

@cywang4
Copy link

cywang4 commented Feb 28, 2024

I use casdoor as oidc provider.
I found that some users can login in to docker normally, but some users cannot.
For those users who cannot login in using docker, I can login in using docker login again after logging in through the harbor browser console, but they cannot login in again after the token expiration time.
My harbor oidc configuration is as follows:
image

Docker login error is as follows:

Error response from daemon: Get "https://harbor.example.com/v2/": unauthorized: authentication required

The error log of harbor-core is as follows:

2024-02-28T09:16:29Z [ERROR] [/server/middleware/security/oidc_cli.go:68][requestID="7d9431c8-50ce-4112-9d8b-541974d13d00"]: failed to verify secret, username: perftest7, error: failed to refresh token, username: perftest7, error: oauth2: "error: grant_type: refresh_token is not supported in this application"
2024-02-28T09:16:29Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="116.236.195.166, 172.25.0.11" requestID="7d9431c8-50ce-4112-9d8b-541974d13d00" user agent="docker/20.10.10 go/go1.16.9 git-commit/e2f740d kernel/5.10.47-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.10 \(darwin\))"]: failed to authenticate user:perftest7, error:not supported
@cywang4
Copy link
Author

cywang4 commented Feb 28, 2024

The detailed error log of harbor-core is as follows:

2024-02-28T09:16:29Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 688deb6d-c302-4e09-8c64-e5cb5c070492 to the logger for the request GET /v2/
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /v2/
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="688deb6d-c302-4e09-8c64-e5cb5c070492"]: an unauthorized security context generated for request GET /v2/
2024-02-28T09:16:29Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized: unauthorized"}]}
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 7d9431c8-50ce-4112-9d8b-541974d13d00 to the logger for the request GET /service/token
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /service/token?account=perftest7&client_id=docker&offline_token=true&service=harbor-registry
2024-02-28T09:16:29Z [DEBUG] [/pkg/oidc/secret.go:87]: Verifying the secret for user: perftest7
2024-02-28T09:16:29Z [DEBUG] [/pkg/oidc/secret.go:116]: Refreshing token
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_groups_claim, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_admin_group, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_groups_claim, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_admin_group, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_groups_claim, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_group_filter, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [DEBUG] [/pkg/config/manager.go:142]: failed to get key oidc_admin_group, error: the configure value is not set, maybe default value not defined before get
2024-02-28T09:16:29Z [ERROR] [/server/middleware/security/oidc_cli.go:68][requestID="7d9431c8-50ce-4112-9d8b-541974d13d00"]: failed to verify secret, username: perftest7, error: failed to refresh token, username: perftest7, error: oauth2: "error: grant_type: refresh_token is not supported in this application"
2024-02-28T09:16:29Z [DEBUG] [/core/auth/authenticator.go:145]: Current AUTH_MODE is oidc_auth
2024-02-28T09:16:29Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="116.236.195.166, 172.25.0.11" requestID="7d9431c8-50ce-4112-9d8b-541974d13d00" user agent="docker/20.10.10 go/go1.16.9 git-commit/e2f740d kernel/5.10.47-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.10 \(darwin\))"]: failed to authenticate user:perftest7, error:not supported
2024-02-28T09:16:29Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="7d9431c8-50ce-4112-9d8b-541974d13d00"]: an unauthorized security context generated for request GET /service/token
2024-02-28T09:16:29Z [DEBUG] [/core/service/token/token.go:37]: URL for token request: /service/token?account=perftest7&client_id=docker&offline_token=true&service=harbor-registry

@dee-kryvenko
Copy link

I think I am having the same issue with Okta, although this happens to me even using Robot Accounts. Which I thought had nothing to do with the upstream IdP and locally issued... or not?

@dee-kryvenko
Copy link 

2024-03-03T07:20:07Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 653c23e4-c6dc-486a-837e-fad42450f4e6 to the logger for the request GET /v2/
2024-03-03T07:20:07Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /v2/
2024-03-03T07:20:07Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="653c23e4-c6dc-486a-837e-fad42450f4e6"]: an unauthorized security context generated for request GET /v2/
2024-03-03T07:20:07Z [DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized: unauthorized"}]}
2024-03-03T07:20:10Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id 5131bebe-9849-4e80-80c1-046f7441a304 to the logger for the request POST /service/token
2024-03-03T07:20:10Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /service/token
2024-03-03T07:20:10Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="5131bebe-9849-4e80-80c1-046f7441a304"]: an unauthorized security context generated for request POST /service/token
2024-03-03T07:20:10Z [DEBUG] [/server/middleware/log/log.go:31]: attach request id dc8858cc-e720-4b5f-96ac-20c0819120ed to the logger for the request GET /service/token
2024-03-03T07:20:10Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /service/token?offline_token=true&service=harbor-registry
2024-03-03T07:20:10Z [INFO] [/server/middleware/security/robot.go:71][requestID="dc8858cc-e720-4b5f-96ac-20c0819120ed"]: a robot security context generated for request GET /service/token
2024-03-03T07:20:10Z [DEBUG] [/core/service/token/token.go:37]: URL for token request: /service/token?offline_token=true&service=harbor-registry
2024-03-03T07:20:10Z [DEBUG] [/core/service/token/creator.go:201]: scopes: []
2024-03-03T07:20:10Z [DEBUG] [/core/service/token/authutils.go:51]: scopes: []

This comes up when I try with a Robot Account

@dee-kryvenko
Copy link

I traced my issue to this #20080, not sure you are having the same issue or not...

@stonezdj
Copy link
Contributor

stonezdj commented Mar 4, 2024

When login with cli, you should login with the OIDC cli secret, not the OIDC username/password.
Please refer the document: https://goharbor.io/docs/2.1.0/administration/configure-authentication/oidc-auth/#using-oidc-from-the-docker-or-helm-cli

@stonezdj stonezdj self-assigned this Mar 4, 2024
@cywang4
Copy link
Author

cywang4 commented Mar 4, 2024

@stonezdj
I'm sure my docker login is using oidc cli secret login..

@cywang4
Copy link
Author

cywang4 commented Mar 4, 2024

I'm not sure if it has something to do with my upgrade from harbor-2.5 to harbor-2.10

@github-actions GitHub Actions
Copy link

github-actions bot commented May 4, 2024

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

@github-actions github-actions bot added the Stale label May 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stonezdj stonezdj

Labels
area/oidc Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dee-kryvenko @stonezdj @cywang4