Authorizing requests to /v2/_catalog

1,161 views
Skip to first unread message

Sharon Naftaly

unread,
Feb 3, 2021, 6:01:47 AM2/3/21
to quay-sig
Hi, 

I'd like to make authenticated requests to list my repositories on quay.io.
When making an unauthenticated call https://quay.io/v2/_catalog, I get a response with status code 200 and an empty repository list.

Looking at a past message in this discussion group, I saw that I can use the /v2 endpoint in order to get a 401 response with the WWW-Authenticate header, and use the details from it to make an /v2/auth request to retrieve a token.

My questions are: 
  1. Does the /v2 endpoint returns sufficient information in the WWW-Authenticate header to get a token that will allow authenticated requests to the /v2/_catalog endpoint?
  2. Alternatively, is there a way to force the /v2/_catalog endpoint to return a 401 response with the WWW-Authenticate header (instead of returning 200 with a list of public repositories)?
I'd appreciate your guidance.
Thanks!
Sharon

Bill Dettelback

unread,
Feb 3, 2021, 8:41:42 AM2/3/21
to quay...@googlegroups.com

Sharon-

You should be able to use a robot account within your organization to do this.  If you don't have one already, set one up with at least "Read" permission on all repos that you want to expose. Then you can grab the docker credentials config from quay.io's web page (click on Robot account, then "Docker Configuration", click the little link "View xyz-auth.json".  You'll see the auth token there inside the JSON fragment.

To get the proper V2 token (assume $TOKEN has the robot token)_:

$ curl -L -X GET -H "Authorization: Basic $TOKEN" "https://quay.io/v2/auth?service=quay.io&scope=repository:<yourorg>/<somerepo>:pull,push"
{"token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZC..

Grab that token (assume it's in $DTOKEN), and you can use it with the /v2 API - this will show all repos that robot token can see:

$ curl -L -X GET -H "Authorization: Bearer $DTOKEN" https://quay.io/v2/_catalog {"repositories":["<yourorg>/<repo1>","<yourorg>/<repo2>","<yourorg>/<repo3>","<yourorg>/<repo4>"]}

Hope that helps.

Bill

--
You received this message because you are subscribed to the Google Groups "quay-sig" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quay-sig+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quay-sig/0035e468-78de-45dc-a4a9-0fcf34da01f4n%40googlegroups.com.
-- 
Bill Dettelback
Engineering Manager - Red Hat Quay, OpenShift Image Registry
M: 732-991-0052
https://www.redhat.com/en/technologies/cloud-computing/quay
Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.

Sharon Naftaly

unread,
Feb 3, 2021, 12:07:19 PM2/3/21
to quay-sig
Hi Bill,

Thanks for the quick answer!

I do still have a question about auth request needed for listing available repos:
In order to receive a token that will allow me to list all the repos available for the specific user (without knowing them upfront), what should be the parameters to the /v2/auth api?
From what I saw the parameter needed for that is service=quay.io. Is that correct?

The reason I'm asking it that usually when making an unauthorized request to a resource the docker v2 API would return a www-authenticate which tells which parameters are needed for /v2/auth. But in the case of making an unauthenticated request to /v2/_catalog we don't get this header (because authentication is not required).

Thank you,
Sharon

Reply all
Reply to author
Forward
0 new messages