Skip to content

Add auth headers to request when using BasicAuth #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add auth headers to request when using BasicAuth #215

wants to merge 1 commit into from

Conversation

corin33
Copy link

@corin33 corin33 commented Jun 26, 2025

Problem

I'm currently using oras-py as client library for a Zot OCI registry. In my current (rather simple) setup, I'm only using BasicAuth with username and password, no TokenAuth.
I noticed that when pushing a blob (by calling registry.upload_blob()), there is no authentication header, and thus Zot sometimes rejects the push.
I say sometimes, because other times Zot seems fine without the auth header, and accepts the push. It's really hard to debug...
When adding the auth header to every request, Zot is happy.

I saw that there's a test for pushing using basic auth oras/tests/test_oras.py#L168 which I would expect to fail as well, so I really don't know...

Proposed Solution

Add the auth headers to the request, just like it's done with TokenAuth.

NB: I have no clue if this is the right way, or if I'm misusing oras-py and should solve this a completely different way

Steps to reproduce

my client script essentially looks like this:

registry = Registry(hostname=host, tls_verify=tls_verify, auth_backend="basic")
res = registry.login(hostname=HOSTNAME, username=USERNAME, password=PASSWORD, tls_verify=false)
assert res["Status"] == "Login Succeeded"
container = oras.container.Container(f"{ HOSTNAME }/{ ARTIFACT }")

[...]
layer = oras.oci.NewLayer(elem.path, is_dir=False)
layer["annotations"] = {oras.defaults.annotation_title: str(elem.name)}

registry._check_200_response(registry.upload_blob(elem, container, layer))
[...]

relevant parts of Zot configuration:

  "http": {
    "address": "0.0.0.0",
    "port": "8080",
    "compat": ["docker2s2"],
    "realm": "zotserver",
    "tls": {
      "cert": "/etc/zot/server_san.crt",
      "key": "/etc/zot/server.key"
    },
    "auth": {
      "htpasswd": {
        "path": "/etc/zot/htpasswd"
      },
      "failDelay": 5
    },
    "accessControl": {
      "groups": {
        "admins": {
          "users": ["corin"]
        },
        "readers": {
          "users": ["githubrunner_read",]
        }
      },
      "repositories": {
        "**": {
          "policies": [{
              "groups": ["readers"],
              "actions": ["read"]
            },
            {
              "groups": ["admins"],
              "actions": ["read", "create", "update", "delete"]
            }]
        }
      }
    }
  },

@corin33
Add auth headers to request when using BasicAuth
b29ec98 
Signed-off-by: corin <corin@duckster.net>
vsoch
vsoch reviewed Jun 26, 2025
View reviewed changes
oras/provider.py

# Make the request and return to calling function, but attempt to use auth token if previously obtained
if isinstance(self.auth, oras.auth.TokenAuth) and self.auth.token is not None:
if (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think generally speaking we want to add auth headers only after the registry requests it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vsoch vsoch vsoch left review comments

@SteveLasker SteveLasker Awaiting requested review from SteveLasker SteveLasker is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@corin33 @vsoch