docker app push scope incorrect?

[doanac]

I'm running https://github.com/docker/app/releases/download/v0.9.0-beta1/docker-app-linux.tar.gz and observing an odd issue. I feel like I've got to be doing something wrong, but I'm not seeing it.

Running docker app push fails with my 2.7 docker registry and custom token authentication server. The issue I've observed is that docker-app is doing a few token authentication calls with my server:

2019-11-18 17:14:50,921 INFO: ANDY scope: repository:andy-corp/shellhttpd:push,pull
2019-11-18 17:15:02,794 INFO: ANDY scope: repository:andy-corp/shellhttpd:pull
2019-11-18 17:15:03,559 INFO: ANDY scope: repository:andy-corp/shellhttpd:pull
2019-11-18 17:15:04,422 INFO: ANDY scope: repository:andy-corp/shellhttpd:pull
2019-11-18 17:15:05,277 INFO: ANDY scope: repository:andy-corp/shellhttpd:pull

As you can see from my hacked logs above, the first scope docker-app asks for has push,pull. However, the preceding ones are all "pull" only. This leads my push command to give up with:

pushing to "hub.foundries.io/andy-corp/shellhttpd:c363d97": error while pushing bundle config manifest: server message: insufficient_scope: authorization failed

The way I read the token authentication spec, my server should take the intersection of what you ask for and what the user has access to:

the token server will find that the client’s set of granted access to the repository is [pull, push] which when intersected with the requested access [pull, push] yields an equal set. If the granted access set was found only to be [pull] then the intersected set would only be [pull]

So a request with scope=pull should only return pull even if the user has push,pull. This is how my token server is behaving, but its breaking this command. If I return what the user can do and not the intersection (ie push,pull) then docker-app-push works fine.

NOTE - docker-app-push to hub.docker.io works fine for me. So it seems my token server is to blame. However, I'm confused due to the wording of the token auth spec. Can you please help clarify?

[doanac]

@silvin-lubecki - Do you know of anyone that can comment on this?

[silvin-lubecki]

Hello @doanac , sorry for that late reply. I looked into the code and found that the error is raised here. If I read the code correctly, this error is raised only if it's the third time in a raw the server returns an error. So the error comes from the authentication server itself right? It feels like the server shouldn't return an error but just the pull scope access ? 🤔 (if I also understands the logs and issue correctly, your user only has pull access but requires push,pull ?)

[doanac]

The logs I showed were from my authentication server. My registry is rejecting the push because the JWT provided by the push code is only granted "pull" access.

I'll spin up a complete dev environment today to provide more logs. However, the problem (as I think is happening) is that docker-app first gets a push/pull token. That token would be able to push. However, it then gets a few "pull" scoped tokens and that's the token being used to push with.