Unable to authenticate against the OpenShift internal registry using a token.

[tmds]

The .NET SDK can't authenticate against the OpenShift image when the auth.json has an auth that starts with <token>:.

This case is treated special here:

sdk/src/Containers/Microsoft.NET.Build.Containers/AuthHandshakeMessageHandler.cs

Lines 321 to 323 in 3390aa4

	var header = privateRepoCreds.Username == "<token>"
	? new AuthenticationHeaderValue(BearerAuthScheme, privateRepoCreds.Password)
	: new AuthenticationHeaderValue(BasicAuthScheme, Convert.ToBase64String(Encoding.ASCII.GetBytes($"{privateRepoCreds.Username}:{privateRepoCreds.Password}")));

The use of the Bearer scheme is causing the authentication to fail. When I change it to Basic (that is: removing the special case) then the authentication works.

With podman debug logging, there is a single GET call to the realm uri. I assume it immediately goes for the Basic auth.

DEBU[0000] GET https://<registry>/v2/ 
DEBU[0000] Ping https://<registry>/v2/ status 401 
DEBU[0000] GET https://<registry>/openshift/token?account=%3Ctoken%3E&scope=repository%3Atdeseyn-dev%2Fdotnet-runtime%3Apull 
DEBU[0000] Increasing token expiration to: 60 seconds   
DEBU[0000] GET https://<registry>/v2/tdeseyn-dev/dotnet-runtime/manifests/8.0 

@baronfel can we make the .NET 9 SDK capable of supporting this scenario by also trying basic auth for <token>? I can work on a PR.

For .NET 10, perhaps we can take a closer look at how docker and podman do the auth and try to mimic their behavior?

cc @omajid

[baronfel]

It is very unlikely we could get anything for .NET 9 - we are locking down in like a week and the containers team has several other things we are driving on. If you could provide pointers to the spec or experiential data about how podman/docker do auth we could maybe change this, but auth is a very scary area to change because it's not under good testing in this repo.

[tmds]

It is very unlikely we could get anything for .NET 9 - we are locking down in like a week and the containers team has several other things we are driving on.

A .NET 9 patch release would be fine too. And the change would be adding a fallback, so that would minimize the risk of introducing a regression in the existing auth mechanisms.

[tmds]

I'm going to make a PR against main and then you can assess the back-portability.

It would be nice if we don't have to wait for a .NET 10 SDK to have this fixed.

Do you recall for what registry the handling of <token> was added to TryTokenGetAsync?

[baronfel]

It's required for handling identity tokens when doing registry auth. You can see it in use at regclient. See docs at docekr cli and similar usage in the docker CLI.