Docker.github.io: DTR API docs don't explain how to authenticate

Created on 24 Mar 2017  路  8Comments  路  Source: docker/docker.github.io

File: apidocs/overview.md

All the API docs are okay at explaining the api methods and actions, but nowhere does it explain how to authenticate. Do users have tokens? Is there an auth method?

areEnterprise

Most helpful comment

You have to use the following APIs for login

  1. GET https://172.17.0.1/api/v0/openid/begin
    This api will create cookie i.e csrf_redirect_state_key and give you authorization URL

  2. POST https://172.17.0.1:444/enzi/v0/id/login
    Body POST data:
    {"username":"admin","password":"password"}
    This API will return you authorization token, use this token token as header in the next call

  3. POST https://172.17.0.1:444/enzi/v0/id/authorize

POST data:
scope=openid&response_type=code&client_id=65bb15b7-c1e6-4278-801b-b3c4b7baa84e&redirect_uri=https%3A%2F%2F172.17.0.1%2Fapi%2Fv0%2Fopenid%2Fcallback&response_type=code&scope=openid&state=eyJyZWRpcmVjdE5leHQiOiIiLCJyZWRpcmVjdFVSSSI6Imh0dHBzOi8vMTcyLjE3LjAuMS9hcGkvdjAvb3BlbmlkL2NhbGxiYWNrIn0.3pQ05IN7_dRW_fNXi19m7k-vDbBZz8K_xwbriNrasD8

client_id data was already got from /api/v0/openid/begin API call header you have to use this in the body of above call

This call will return you another opencall back api link.

Hit the open back url that was returned after removing some values
e.g GET https://172.17.0.1/api/v0/openid/callback?code=f45dbf0b-aaa3-4fd3-a94a-48ccc3a6c59b&state=eyJyZWRpcmVjdE5leHQiOiIiLCJyZWRpcmVjdFVSSSI6Imh0dHBzOi8vMTcyLjE3LjAuMS9hcGkvdjAvb3BlbmlkL2NhbGxiYWNrIn0.3pQ05IN7_dRW_fNXi19m7k-vDbBZz8K_xwbriNrasD8

This call will created two more cookies values like
Set-Cookie: session=c87ef519-d654-4c16-8f15-2dcfa92c2b94; Path=/; Expires=Sat, 16 Apr 2022 13:48:05 GMT; HttpOnly; Secure
Set-Cookie: csrftoken=75bc475b-38a2-4785-8b62-ae2f0ca69dd3; Path=/; Expires=Sat, 16 Apr 2022 13:48:05 GMT; Secure

Now you can use any call by adding X-Csrf-Token in the header by using csrftoken.

If you are still unable to login I can provide you my jmx files of jmeter , you can message me

All 8 comments

I've updated the title of this issue to make it more obvious.

It seems that right now DTR doesn't have an authentication endpoint, but you can authenticate your requests using basic authentication. Here's an example

curl -k --user <username>:<password> <dtr-url>/api/v0/meta/settings

You have to use the following APIs for login

  1. GET https://172.17.0.1/api/v0/openid/begin
    This api will create cookie i.e csrf_redirect_state_key and give you authorization URL

  2. POST https://172.17.0.1:444/enzi/v0/id/login
    Body POST data:
    {"username":"admin","password":"password"}
    This API will return you authorization token, use this token token as header in the next call

  3. POST https://172.17.0.1:444/enzi/v0/id/authorize

POST data:
scope=openid&response_type=code&client_id=65bb15b7-c1e6-4278-801b-b3c4b7baa84e&redirect_uri=https%3A%2F%2F172.17.0.1%2Fapi%2Fv0%2Fopenid%2Fcallback&response_type=code&scope=openid&state=eyJyZWRpcmVjdE5leHQiOiIiLCJyZWRpcmVjdFVSSSI6Imh0dHBzOi8vMTcyLjE3LjAuMS9hcGkvdjAvb3BlbmlkL2NhbGxiYWNrIn0.3pQ05IN7_dRW_fNXi19m7k-vDbBZz8K_xwbriNrasD8

client_id data was already got from /api/v0/openid/begin API call header you have to use this in the body of above call

This call will return you another opencall back api link.

Hit the open back url that was returned after removing some values
e.g GET https://172.17.0.1/api/v0/openid/callback?code=f45dbf0b-aaa3-4fd3-a94a-48ccc3a6c59b&state=eyJyZWRpcmVjdE5leHQiOiIiLCJyZWRpcmVjdFVSSSI6Imh0dHBzOi8vMTcyLjE3LjAuMS9hcGkvdjAvb3BlbmlkL2NhbGxiYWNrIn0.3pQ05IN7_dRW_fNXi19m7k-vDbBZz8K_xwbriNrasD8

This call will created two more cookies values like
Set-Cookie: session=c87ef519-d654-4c16-8f15-2dcfa92c2b94; Path=/; Expires=Sat, 16 Apr 2022 13:48:05 GMT; HttpOnly; Secure
Set-Cookie: csrftoken=75bc475b-38a2-4785-8b62-ae2f0ca69dd3; Path=/; Expires=Sat, 16 Apr 2022 13:48:05 GMT; Secure

Now you can use any call by adding X-Csrf-Token in the header by using csrftoken.

If you are still unable to login I can provide you my jmx files of jmeter , you can message me

@akbar-10p thanks for posting this info! I'm not sure that authentication method is officially supported and will continue working in the future, so if you're looking at this issue for the DockerCon hackathon, document how to authenticate to DTR using basic authentication instead of this openid handshake.

@joaofnfernandes , yes it is the basic authentication method used by DTR.
You will be able to login by using only login call but it wont create the required cookies.
So this method is correct as far as my research work

Sorry for being ambiguous. What I'm saying is that you should use HTTP basic authentication (pass the user/pass on all HTTP requests), like:

curl -k --user <username>:<password> <dtr-url>/api/v0/meta/settings
  1. curl -X GET \
    https://<dtr-url> /api/v0/openid/begin \
    -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' \
    -H 'accept-encoding: gzip, deflate, br' \
    -H 'content-type: application/json' \
    -H 'host: ' \
    -H 'upgrade-insecure-requests: 1'

  2. curl -X POST \
    https:// <dtr-url> :444/enzi/v0/id/login \
    -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' \
    -H 'accept-encoding: gzip, deflate, br' \
    -H 'content-type: application/json' \
    -H 'upgrade-insecure-requests: 1' \
    -d '{"username":"admin","password":"password"}'

  3. curl -X POST \
    https://<dtr-url>:444/enzi/v0/id/authorize \
    -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' \
    -H 'accept-encoding: gzip, deflate, br' \
    -H 'authorization: SessionToken <From Login call>' \
    -d ' scope=openid&response_type=code&'

  4. curl -X GET \
    https://<dtr-url>/api/v0/openid/callback?code<code from the above call returned>&<state from the above call returned> \
    -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' \
    -H 'accept-encoding: gzip, deflate, br' \
    -H 'authorization: SessionToken <From Login call>'
    -H 'content-type: application/json'

  5. curl -X GET \
    https://<dtr-url>/api/v0/meta/features \
    -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' \
    -H 'accept-encoding: gzip, deflate, br' \
    -H 'content-type: application/json' \
    -H 'upgrade-insecure-requests: 1' \
    -H 'x-csrf-token: '

I've filed a PR upstream so that this information gets included directly in the product. As mentioned previously, you should use HTTP basic auth for authentication.

curl -ks --user <username>:<password> <dtr-url>/api/v0/repositories

Which returns something like

{
  "repositories": [
   {
    "id": "c9f92841-15b2-42a5-9e3b-ff79356bc537",
    "namespace": "alpha",
    "namespaceType": "organization",
    "name": "nginx",
    "shortDescription": "",
    "visibility": "public",
    "scanOnPush": false,
    "immutableTags": false,
    "enableManifestLists": false,
    "pulls": 0,
    "pushes": 0
   }
  ]
 }
Was this page helpful?
0 / 5 - 0 ratings