Auth form is not showing

[lorrod]

Hi, I use this docker registry UI and I have an issue when configured it with option secured option (REGISTRY_SECURED=true)

My registry is secured by gitlab auth mechanism.

Bug description

My private docker registry and registry-ui configuration

  registry:
    restart: always
    image: registry:2.7
    container_name: gitlab_registry
    volumes:
     - ./gitlab/shared/registry:/registry
     - ./certs:/certs
    labels:
      - traefik.enable=true
      - traefik.http.routers.registry-https.rule=Host(`my-external-registry-host.com`)
      - traefik.http.routers.registry-https.entrypoints=websecure
      - traefik.http.routers.registry-https.tls=true
      - traefik.http.routers.registry-https.tls.certresolver=cfdns
      - traefik.http.routers.registry-https.service=registry
      - traefik.http.services.registry.loadbalancer.server.port=5000
    environment:
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      REGISTRY_HTTP_HEADERS_Access-Control-Origin: '[https://my-external-url.com]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_AUTH_TOKEN_REALM: https://my-git-url/jwt/auth
      REGISTRY_AUTH_TOKEN_SERVICE: container_registry
      REGISTRY_AUTH_TOKEN_ISSUER: omnibus-gitlab-issuer
      REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/registry.crt
  registry-ui:
    image: joxit/docker-registry-ui:main
    restart: always
    labels:
      - traefik.enable=true
      - traefik.http.routers.registry-ui.rule=Host(``)
      - traefik.http.routers.registry-ui.entrypoints=websecure
      - traefik.http.routers.registry-ui.tls=true
      - traefik.http.routers.registry-ui.tls.certresolver=cfdns
      - traefik.http.routers.registry-ui.service=registry-ui
      - traefik.http.services.registry-ui.loadbalancer.server.port=80
    environment:
      - SINGLE_REGISTRY=true
      - REGISTRY_TITLE=Registry
      - DELETE_IMAGES=true
      - SHOW_CONTENT_DIGEST=true
      - NGINX_PROXY_PASS_URL=http://registry:5000
      - SHOW_CATALOG_NB_TAGS=true
      - CATALOG_MIN_BRANCHES=1
      - CATALOG_MAX_BRANCHES=1
      - TAGLIST_PAGE_SIZE=100
      - REGISTRY_SECURED=true
      - CATALOG_ELEMENTS_LIMIT=1000
    container_name: registry-ui

Thank you for your project!

[Joxit]

Hi, thank you for using my project and submitting issues!

It's my fault, there was a typo in the README, checkout #329

The headers should be REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin and REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials I forgot the Allow in the readme...

-      REGISTRY_HTTP_HEADERS_Access-Control-Origin: '[https://my-external-url.com]'
+      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://my-external-url.com]'
-      REGISTRY_HTTP_HEADERS_Access-Control-Credentials: '[true]'
+      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'

Tell me if the issue persists after this change 😄

[lorrod]

Thank you for your quick response, unfotunately the issue is still exist..

I have updated env vars of registry container:

    environment:
      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /registry
      REGISTRY_STORAGE_DELETE_ENABLED: 'true'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[https://ui.registry.external.url.com]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
      REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
      REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
      REGISTRY_AUTH_TOKEN_REALM: https://git.external.url/jwt/auth
      REGISTRY_AUTH_TOKEN_SERVICE: container_registry
      REGISTRY_AUTH_TOKEN_ISSUER: omnibus-gitlab-issuer
      REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /certs/registry.crt

The form of login and password still missing. I see 401 in console log.
In registry log I can see that request is sent without authentification:
error authorizing context: authorization token required

Could you advise something else to check?

[Joxit]

I will need :
Screenshot of your browser's console + network showing the headers of the request

[lorrod]

Sure, here it is

Here is copied request with 401 response:
curl 'https://ui.registry.<>.com/v2/_catalog?n=1000'
-H 'authority: ui.registry.<>.com'
-H 'accept: /'
-H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8'
-H 'referer: https://ui.registry.<>.com/'
-H 'sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"'
-H 'sec-ch-ua-mobile: ?0'
-H 'sec-ch-ua-platform: "macOS"'
-H 'sec-fetch-dest: empty'
-H 'sec-fetch-mode: cors'
-H 'sec-fetch-site: same-origin'
-H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36'
--compressed

So the problem is that I was not asked for username and password to provide...

I tried different browser, set the latest version joxit/docker-registry-ui:2.5.2 with no luck

[Joxit]

Did you tried REGISTRY_SECURED option?

This is a configuration issue for sure, just need to found where...

Can I see the headers of the response?

Your registry and ui are on the strictly same domain? (same domain AND subdomain, same port)

You mentioned token authentication, did you checked this example https://github.com/Joxit/docker-registry-ui/tree/main/examples/token-auth-keycloak?
I know you're not using keycloak but there are some configuration to fix some auth servers to work with docker registries. The 401 response must have the header "WWW-Authenticate" for exemple...

[lorrod]

Yes, as you can see above, configuration option REGISTRY_SECURED is set to true...
I attach a screenshot of 401 response headers, yes, "WWW-Authenticate" is presented and equals to Bearer realm="https://git.<company-domain>.com/jwt/auth",service="container_registry",scope="registry:catalog:*"

Domains of three systems are:
Registry ui - ui.registry.git.<company-domain>.com
Registry - registry.git.<company-domain>.com
Git - git.<company-domain>.com

[Joxit]

Hi there, could you pull the latest main tag and try if it works now? The sha should be 3414d7b

[lorrod]

Hello! Thank you for staying in contact!

Sorry for late response, we have switched our focus...

I tried to use this image joxit/docker-registry-ui:latest but it comes with different sha sha256:899f61697a3d269aa1a6c14cbcf6f5c21480804854496bb1e6e9e4fabf758b36.

Unfortunately the problem is the same as described above.

[Joxit]

Hi, sorry I was talking about the latest main tag, not the latest tag 😅

Like you docker pull joxit/docker-registry-ui:main then use it as usual

[lorrod]

I have tried, no luck, sorry!

Is there anything else we can try? :D

[Joxit]

Hi, I made a new release if you want to try it v2.5.3

[quangngoc]

I still have the issue:

I did set REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]' but there is an error "The Access-Control-Allow-Credentials header in the response is missing and must be set to true when the request's credentials mode is on"

[Joxit]

Did you set REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials to your docker registry server environment configuration as suggested in my recommended-docker-registry-usage?

[prokher]

Having the same issue in Safari. It works OK when I open the page in Firefox though.