Plugins » Katello

When accessing a container registry, some clients like helm will try to authenticate using oauth2 token authentication (a POST request against the v2/token endpoint, cf. https://docker-docs.uclv.cu/registry/spec/auth/oauth/) before falling back to regular token authentication (a GET request against the v2/token endpoint, cf. https://docker-docs.uclv.cu/registry/spec/auth/token/). The spec says the following:

Note: Not all token servers implement oauth2. If the request to the endpoint returns 404 using the HTTP POST method, refer to Token Documentation for using the HTTP GET method supported by all token servers.

However, in katello we currently return 415 (Unsupported Media Type) on the POST request, because the media type check is not disabled for the token endpoint (but it is for others like upload blob), and the POST request contains data with media type application/x-www-form-urlencoded while the check only allows json. As a result, clients (like helm) are confused and will not try the regular token authentication with the GET request.

The following curl request can be used to test the response (replace foreman.example.com with your foreman instance, orgname with your orgname, productname with your product name for the container registry, and containername is arbitrary, as is username and password):

curl -k -X POST "https://forman.example.com/v2/token" -H "Content-Type: application/x-www-form-urlencoded" --data-urlencode "scope=repository:orgname/productname/containername:pull,push repository:registry:pull,push" --data-urlencode "grant_type=password" --data-urlencode "username=myuser" --data-urlencode "password=mypassword" --data-urlencode "service=foreman.example.com" -w "\\n%{http_code}\\n"

This will yield the following output: {
"error": {"message":"Media type in 'Content-Type: application/x-www-form-urlencoded' is unsupported in API v2 for POST and PUT requests. Please use 'Content-Type: application/json'."}
}

415