Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-8188

quay doesn't handle "scope" setting in api v2 OAuth

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Normal Normal
    • None
    • quay-v3.13.0, quay-v3.12.4
    • quay
    • None
    • False
    • None
    • False

      Description of problem:

      In API V2 OAuth, there is a setting `scope`. Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.

      But when quay handle API V2, the `scope` setting doesn't work.

      Take API V2 endpoint `/v2/_catalog ` for example, when set `scope`, it works like

      $ curl -k -X GET -H "Authorization: Basic d2h1cm86MTIzNDU2Nzg=" "https://quayregistry-quay-quay-enterprise.apps.whu416az23.qe.azure.devcluster.openshift.com/v2/auth?service=quayregistry-quay-quay-enterprise.apps.whu416az23.qe.azure.devcluster.openshift.com&scope=repository:readonly-org/readonly-repo-pri:pull,push" |jq .
{
  "token": "ey...NQ"
}


------------------------------
$ curl -k -X GET --header "Authorization: Bearer ey...NQ" "https://quayregistry-quay-quay-enterprise.apps.whu416az23.qe.azure.devcluster.openshift.com/v2/_catalog" |jq .
{
  "repositories": [
    "user1-org/user1_repo_pub",
    "admin_org/admin_repo_pub",
    "ro-org/ro-repo-pri",
    "ro-org/ro-repo-pub",
    "readonly-org/readonly-repo-pri"
  ]
}

       

      If don't set `scope`, it works like

      $ curl -k -X GET -H "Authorization: Basic d2h1cm86MTIzNDU2Nzg=" "https://quayregistry-quay-quay-enterprise.apps.whu416az23.qe.azure.devcluster.openshift.com/v2/auth?service=quayregistry-quay-quay-enterprise.apps.whu416az23.qe.azure.devcluster.openshift.com" |jq .
{
  "token": "ey....wA"
}


------------------------------
$ curl -k -X GET --header "Authorization: Bearer ey....wA" "https://quayregistry-quay-quay-enterprise.apps.whu416az23.qe.azure.devcluster.openshift.com/v2/_catalog" |jq .
{
  "repositories": [
    "user1-org/user1_repo_pub",
    "admin_org/admin_repo_pub",
    "ro-org/ro-repo-pri",
    "ro-org/ro-repo-pub",
    "readonly-org/readonly-repo-pri"
  ]
}

      If set `scope=repository:readonly-org/readonly-repo-pri:pull,push`, the api v2 token generated in the first API call should just have permission to access `repository:readonly-org/readonly-repo-pri`. But depending on the test result, set scope, this token can access other repositories, whether `scope` is set or not, will not affect the api output too. So it seems quay doesn't handle `scope`. 

              Unassigned Unassigned
              rhwhu Weihua Hu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: