-
Bug
-
Resolution: Unresolved
-
Blocker
-
None
-
quay-v3.11.0
-
Incidents & Support
-
False
-
-
False
-
Quay Enterprise
-
-
-
Customer Escalated
When Azure AD is used, CLI login fails because of a missing parameter:
... 2024-05-16T15:39:43.301167401Z gunicorn-registry stdout | 2024-05-16 15:39:43,300 [242] [DEBUG] [auth.basic] Attempt to process basic auth header 2024-05-16T15:39:43.395617601Z gunicorn-registry stdout | 2024-05-16 15:39:43,394 [242] [DEBUG] [urllib3.connectionpool] https://login.windows.net:443 "POST /d1e.../oauth2/token HTTP/1.1" 400 484 2024-05-16T15:39:43.396353826Z gunicorn-registry stdout | 2024-05-16 15:39:43,395 [242] [DEBUG] [oauth.oidc] Got get_access_token response {"error":"invalid_request" ,"error_description":"AADSTS900144: The request body must contain the following parameter: 'resource'. Trace ID: 109b... Correlation ID: bc... Timestamp: 2024-05-16 15:39:43Z","error_codes":[900144],"timestamp":"2024-05-1615:39:43Z","trace_id":"109b3...","correlation_id":"bc64...","error_uri":"https://login.windows.net/error?code=900144"} 2024-05-16T15:39:43.396645338Z gunicorn-registry stdout | 2024-05-16 15:39:43,395 [242] [ERROR] [data.users.externaloidc] External OIDC Group Sync: Exception while v erifying credentials: Got 400 response for code exchange: {"error":"invalid_request",... 2024-05-16T15:39:43.396645338Z gunicorn-registry stdout | File "/quay-registry/data/users/externaloidc.py", line 52, in verify_credentials 2024-05-16T15:39:43.396645338Z gunicorn-registry stdout | response = service.password_grant_for_login(username_or_email, password) 2024-05-16T15:39:43.396645338Z gunicorn-registry stdout | File "/quay-registry/oauth/oidc.py", line 355, in password_grant_for_login 2024-05-16T15:39:43.396645338Z gunicorn-registry stdout | raise PasswordGrantException( 2024-05-16T15:39:43.396645338Z gunicorn-registry stdout | oauth.oidc.PasswordGrantException: Got 400 response for code exchange: {"error":"invalid_request",... 2024-05-16T15:39:43.396645338Z gunicorn-registry stdout | 2024-05-16 15:39:43,396 [242] [WARNING] [auth.credentials] Failed to validate credentials for user XXXXXX: Got 400 response for code exchange: {"error":"invalid_request",... 2024-05-16T15:39:43.396915713Z gunicorn-registry stdout | 2024-05-16 15:39:43,396 [242] [ERROR] [util.http] Error 401: Anonymous access is not allowed; Arguments: {'url': 'https://QUAY_ENDPOINT/v2/auth?service=QUAY_ENDPOINT', 'status_code': 401, 'message': 'Anonymous access is not allowed'} 2024-05-16T15:39:43.397544520Z gunicorn-registry stdout | 2024-05-16 15:39:43,397 [242] [DEBUG] [app] Ending request: urn:request:c81c36e7-d5ab-4ed0-b58f-f4e8ff7b8890 (/v2/auth) {'endpoint': 'v2.generate_registry_jwt', 'request_id': 'urn:request:c81c36e7-d5ab-4ed0-b58f-f4e8ff7b8890', 'remote_addr': '10.72.30.16', 'http_method': 'GET', 'original_url': 'https:/QUAY_ENDPOINT/v2/auth?service=QUAY_ENDPOINT', 'path': '/v2/auth', 'parameters': {'service': 'QUAY_ENDPOINT'}, 'json_body': None, 'confsha': '7299b7e7', 'user-agent': 'Go-http-client/1.1'} 2024-05-16T15:39:43.398136054Z gunicorn-registry stdout | 2024-05-16 15:39:43,397 [242] [INFO] [gunicorn.access] 10.72.30.16 - XXXXXXXX [16/May/2024:15:39:43 +0000] "GET /v2/auth?service=QUAY_ENDPOINT HTTP/1.1" 401 44 "-" "Go-http-client/1.1"
Seems that Azure AD requires the resource parameter for the login to be successful.
