Unable to authenticate on public ECR

[gdlx]

Hi !
Following #176, I finally need to enable authentication on AWS public ECR to avoid rate limiting.
But I think there's either a bug or an issue in the authentication doc:

AWS provides me a token to be used as basic auth with the AWS username.

I tried both token and basic auth but neither actually work.
I've debugged the situation here: https://github.com/oras-project/oras-py/blob/main/oras/provider.py#L992

• With token auth, self.auth.get_auth_header() always returns {'Authorization': 'Bearer None'}. Maybe it's related to the bug described in fix: do not set empty token so anon works for public ecr #176 and that you fixed but I havent tried the fix as it's not released.

• With the basic auth, well the credentials are just ignored as you only update headers for the token auth module: https://github.com/oras-project/oras-py/blob/main/oras/provider.py#L988

In both cases, I can't authenticate on public ECR.

Do I miss something ?

Thanks !

[gdlx]

I just tried with the #176 fix.
Now the token auth just doesn't add the header because it's empty, but I'm still not able to authenticate.

I think the header should be updated if self.auth is a oras.auth.BasicAuth, which provides the requested header:

>>> type(self.auth)
<class 'oras.auth.basic.BasicAuth'>

>>> self.auth.get_auth_header()
{'Authorization': 'Basic Tez4dgfV5SndZWGxz...'}

[gdlx]

Also note that 0.2.2 actually sends the credentials, but as a bearer token (not sure it is correctly understood by the ECR API):

>>> headers, changed = self.auth.authenticate_request(response, headers)
>>> headers
{'Authorization': 'Bearer eyJwYXlsb2FkIjoiY0...'}

[vsoch]

My suggestion is to make an auth backend that explicitly matches what the registry needs. That was the reason for the redesign of auth generally - getting all these different flows to work with just one implementation is near impossible.

[gdlx]

I understand, and as I said, maybe it's just a lack in the auth doc that doesn't show any custom auth backend example: https://oras-project.github.io/oras-py/getting_started/user-guide.html#authentication

That said, the public ECR only requires basic auth which is actually implemented, but it just seems ineffective, as the code clearly only updates requests headers for the Token auth class.

It's not clear why the implemented basic auth would actually means "no auth", and how a custom auth backend would work while the code has hard coded condition to update headers only for token auth.

[vsoch]

Feel free to contribute to the project to fix documentation, code, or the defaults. Thanks!

[gdlx]

Sure, but would a PR that injects auth header for basic auth be ok ?
(I don't know why you only inject it for token auth)

[vsoch]

Injects?

[gdlx]

Injects?

Yes, adding the auth header into the headers dict. Sorry, that wasn't clear.

I've finally been able to make it work with any version: the problem was that I was calling client.login for token auth (the token provided by ECR is actually a base64 encoded user:password, so you can send it as a bearer token or basic auth) as explained in the doc.

But the login method never calls the set_token_auth method, so it's never set.

Replacing client.login by client.auth.set_token_auth(token) worked just fine.

Now I'm not sure if it's a doc issue or if I'm doing something wrong...

[vsoch]

If you found a way that works, why would you be doing something wrong?

If you think there could be better docs for this case, a PR would be greatly appreciated.