How do I curl authenticate with Harbor, using Azure as the OIDC provider? #21829
Comments
|
did you get it work with admin user? And if you wanna access the Harbor API with OIDC user, you have to use the bearer token as the cred. Please refer to the section |
I do have admin access, but that has made no difference. |
jgagnon44
changed the title
|
I went to the recommended link https://github.com/goharbor/harbor/wiki/Harbor-FAQs#api, went to bullet 3 in that section and then clicked the link associated with Azure AD #9193 (comment). I reviewed the information provided, which seems like instructions on how to establish a "linkage" between Azure AD (as the OIDC provider) and Harbor. We already have this set up. I logged in to Harbor and grabbed by user ID and CLI secret. This does not work regardless of what I try. Should I be using the secret value of the app registered in Azure AD? That doesn't seem to make sense. Also, I don't have access to it (for good reason). Is this the wrong process to be using? |
jgagnon44
changed the title
Harbor has a REST API that can be utilized to extract various information from a Harbor instance. There must be certain API paths that are publicly available, while other paths are either inaccessible (other than through the Harbor Swagger page), or require some extra authorization/authentication in order to access them.
We are using Harbor version 2.7.2 and use OIDC single sign on (via Azure) to access the application.
In this case, I am attempting to pull information via the use of the
curlutility. I find that I can access, say, project information with nothing more than a simple call:curl -H "Content-Type: application/json" -i -X GET https://<Harbor URL>/api/v2.0/projectsThis returns a JSON list of the first N project objects.
However, if I try to access retention information (e.g.,
/api/v2.0/retentions/<project ID>), I cannot get it to work. I have tried lots of things, to no avail. I always get back "unauthorized":{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}By the way, I am able to successfully get retention information if I'm logged into Harbor and use the Swagger page. So, I know it works and that there is information there. However, I want to do this from outside Harbor, programmatically.
I have tried using the following patterns:
An alternate method (maybe?)
I also searched the Internet for anything that might help, and came upon another approach that I don't fully understand. It seems to involve making an initial call that returns a short-lived token that can then be passed in a following call to the REST API.
Below are links to what seems to be the most authoritative results I've found:
https://github.com/goharbor/harbor/wiki/Harbor-FAQs#api
https://github.com/distribution/distribution/blob/main/docs/content/spec/auth/token.md
https://distribution.github.io/distribution/spec/auth/scope/
I've tried to do this a number of times, but have had no luck. I have doubts/questions about many of the parts of the requests I'm making, so I wouldn't be surprised if I'm doing it wrong.
Here is the pattern of the first call (as best as I can understand it):
curl -ik -u "<user ID>:<CLI secret>" https://<Harbor URL>/service/token?service=harbor-registry&scope=registry:pullI assume
/service/tokenis an endpoint to use to request the token. I assumeservice=harbor-registryis the service I'm asking to provide the token (I hope "harbor-registry" is the correct value to privide). The next parameter is (to me) not clear what should be provided (there seems to be a syntax to a lot of this, but it's not clear what that syntax is). The third link above goes into detail about some of this.Making calls like this returns a result with a long token value and an expiration value. I then try to invoke the REST API, passing the token as a bearer token. So, for example:
curl -H "Authorization: Bearer <returned token>" -H "Content-Type: application/json" -i -X GET https://<Harbor URL>/api/v2.0/retentions/<project ID>I'm still getting the same response. Either this is not the right method, or I'm using it incorrectly, or I messed up the first request for the token.
The text was updated successfully, but these errors were encountered: