|
| 1 | +:_content-type: CONCEPT |
| 2 | +[id="token-overview"] |
| 3 | += Introduction to {productname} OAuth 2.0 tokens |
| 4 | + |
| 5 | +The {productname} OAuth2 token system provides a secure, standards-based method for accessing {productname}'s API and other relevant resources. The {productname} OAuth2 token-based approaches provides a secure method for handling authentication and authorization for complex environments. Compared to more traditional API tokens, {productname}'s OAuth2 token system offers the following enhancements: |
| 6 | +
|
| 7 | +* Standards-based security, which adheres to the link:https://oauth.net/2/[OAuth 2.0 protocol]. |
| 8 | +* Revocable access by way of deleting the application in which the OAuth2 token exists. |
| 9 | +* Fine-grained access control, which allows {productname} administrators the ability to assign specific permissions to tokens. |
| 10 | +* Delegated access, which allows third-party applications and services to act on behalf of a user. |
| 11 | +* Future-proofing, which helps ensure that {productname} remains compatible with other services, platforms, and integrations. |
| 12 | +
|
| 13 | +The following sections provide more tails about the token types available with {productname}. |
| 14 | +
|
| 15 | +[id="token-types"] |
| 16 | +== {productname} token types |
| 17 | +
|
| 18 | +{productname} primarily supports two types of tokens: OAuth2 access tokens and robot account tokens. A third token type, an _OCI referrers access token_, that is required to list OCI referrers of a manifest under a repository, is also available when warranted. |
| 19 | +
|
| 20 | +[discrete] |
| 21 | +[id="oauth2-access-tokens"] |
| 22 | +=== OAuth2 access tokens |
| 23 | +
|
| 24 | +OAuth 2 access tokens enable user-authenticated access to the {productname} API, suitable for applications that require user identity verification. These tokens are obtained through an OAuth2 authorization process, where a {productname} administrator generates a token on behalf of themselves or another user to access {productname} API endpoints. OAuth 2 tokens authorize actions on API endpoints based on the scopes defined for the token. |
| 25 | +
|
| 26 | +[NOTE] |
| 27 | +==== |
| 28 | +Although OAuth 2 tokens authorize actions on API endpoints based on the scopes defined for the token, access to the resources themselves is governed by {productname}'s role-based access control (RBAC) mechanisms. Actions can be created on a resource, for example, a repository, provided that you have the proper role (*Admin* or *Creator*) to do so for that namespace. This is true even if the API token was granted the `repo:admin` scope. |
| 29 | +==== |
| 30 | +
|
| 31 | +Currently, the following options can be selected for a token holder: |
| 32 | +
|
| 33 | +* *Administer Organization*. When selected, allows the user to be able to administer organizations, including creating robots, creating teams, adjusting team membership, and changing billing settings. |
| 34 | +
|
| 35 | +* *Administer Repositories*. When selected, provides the user administrator access to all repositories to which the granting user has access. |
| 36 | +
|
| 37 | +* *Create Repositories*. When selected, provides the user the ability to create repositories in any namespaces that the granting user is allowed to create repositories. |
| 38 | +
|
| 39 | +* *View all visible repositories*. When selected, provides the user the ability to view and pull all repositories visible to the granting user. |
| 40 | +
|
| 41 | +* *Read/Write to any accessible repositories*. When selected, provides the user the ability to view, push and pull to all repositories to which the granting user has write access. |
| 42 | +
|
| 43 | +* *Super User Access*. When selected, provides the user the ability to administer your installation including managing users, managing organizations and other features found in the superuser panel. |
| 44 | +
|
| 45 | +* *Administer User* When selected, provides the user the ability to administer your account including creating robots and granting them permissions to your repositories. |
| 46 | +
|
| 47 | +* *Read User Information*. When selected, provides the user the ability to read user information such as username and email address. |
| 48 | +
|
| 49 | +Token distributors should be mindful of the permissions that they are granting when generating a token on behalf of a user, and should have absolute trust in a user before granting such permissions as *Administer organization*, *Super User Access*, and *Administer User*. |
| 50 | +
|
| 51 | +OAuth2 access tokens are passed as a `Bearer` token in the `Authorization` header of an API call and, as a result, are used to provide authentication and authorization to the defined API endpoint, such as an image tag, a repository, an organization, and so on. |
| 52 | +
|
| 53 | +With {productname}, there is currently no way to set an expiration time on an OAuth2 access token, and the token lifespan is 10 years. Tokens can be deleted by deleting the applications in which they were created in the event that they are compromised, however, this deletes all tokens that were made within that specific application. |
| 54 | +
|
| 55 | +[NOTE] |
| 56 | +==== |
| 57 | +In practice, {productname} administrators _could_ create a new OAuth application on the *Applications* page of their organization each time they wanted to create a new OAuth token for a user. This would ensure that a single application is not responsible for all OAuth tokens. As a result, in the event that a user's token is compromised, the administrator would delete the application of the compromised token. This would help avoid disruption for other users whose tokens might be part of the same application. |
| 58 | +==== |
| 59 | +
|
| 60 | +[discrete] |
| 61 | +[id="robot-account-tokens"] |
| 62 | +=== Robot account tokens |
| 63 | +
|
| 64 | +Robot account _tokens_ are essentially _password-type_ credentials used to access a {productname} registry via normal Docker v2 endpoints; these are defined as _tokens_ on the UI because the password itself is encrypted. |
| 65 | +
|
| 66 | +Robot account tokens are persistent tokens designed for automation and continuous integration workflows. By default, {productname}'s robot account tokens do not expire and do not require user interaction, which makes robot accounts ideal for non-interactive use cases. |
| 67 | +
|
| 68 | +Robot account tokens are automatically generated at the time of a robot's creation and are non-user specific; that is, they are connected to the user and organization namespace where where they are created. for example, a robot named `project_tools+<robot_name>` is associated with the `project_tools` namespace. |
| 69 | +
|
| 70 | +Robot account tokens provide access without needing a user's personal credentials. How the robot account is configured, for example, with one of `READ`, `WRITE`, or `ADMIN` permissions, ultimately defines the actions that the robot account can take. |
| 71 | +
|
| 72 | +Because robot account tokens are persistent and do not expire by default, they are ideal for automated workflows that require consistent access to {productname} without manual renewal. Despite this, robot account tokens can be easily re-generated by using the the UI or the proper API endpoint via the CLI. To enhance the security of your {productname} deployment, administrators should regularly refresh robot account tokens. Additionally, with the newly-implemented _keyless authentication with robot accounts_ feature, robot account tokens can be exchanged for external OIDC tokens and leveraged so that they only last one hour, enhancing the security of your registry. |
| 73 | +
|
| 74 | +When a namespace gets deleted, or when the robot account is deleted itself, they are garbage collected when the collector is scheduled to run. |
| 75 | +
|
| 76 | +[discrete] |
| 77 | +[id="oci-referrers-oauth-access-token"] |
| 78 | +=== OCI referrers OAuth access token |
| 79 | +
|
| 80 | +In some cases, depending on the features that your {productname} deployment is configured to use, you might need to leverage an _OCI referrers OAuth access token_. OCI referrers OAuth access tokens are used to list OCI referrers of a manifest under a repository, and uses a `curl` command to make a `GET` request to the {productname} `v2/auth` endpoint. |
| 81 | +
|
| 82 | +These tokens are obtained via basic HTTP authentication, wherein the user provides a username and password encoded in Base64 to authenticate directly with the `v2/auth` API endpoint. As such, they are based directly on the user's credentials aod do not follow the same detailed authorization flow as OAuth2, but still allow a user to authorize API requests. |
| 83 | +
|
| 84 | +_OCI referrers OAuth access tokens_ do not offer scope-based permissions and do not expire. They are solely used to list OCI referrers of a manifest under a repository. |
0 commit comments