remotes/docker/authorizer.go: refresh OAuth tokens when they expire #8735
Conversation
|
Hi @iain-macdonald. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
might related to #8388 |
That makes sense. I'll admit I'm not an expert with golang, but my understanding is if it isn't set, the default value assigned to |
yea you right it will fallback. But token expiration problem still exists if expires_in is not include in registry response |
Yes, and this PR preserves the existing behavior in the case, so it's strictly an improvement for the cases where |
|
Hey, it's been a few weeks without any feedback from the containerd team. Are there any next steps for me to take here? I've tried to follow the instructions in https://github.com/containerd/project/blob/main/CONTRIBUTING.md, but please let me know if I've missed a step or something. |
|
Hey, checking in one more time. Let me know if there are any additional steps I need to take to get this PR reviewed. Thanks! |
|
This change looks good to accept. I have a few questions though.
What were the errors? I'm wondering if @cardyok 's PR fixes the general issue without relying on the registry. Which registries today are setting this? (As this is only a recommended field https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2) |
|
The errors are 401 (unauthorized) errors, and the Docker Hub registry sets this field. @cardyok 's PR also fixes the issue we observed, Docker Hub sets the error field in its response as well, though it requires an additional roundtrip to/from the container registry to learn when access tokens have expired so it's slightly slower. That said, it's much simpler. |
|
Is there any concern with this? It looks like a good change that can save a round trip with the registry. |
|
Hey all, apologies for losing track of this for a little bit. I just rebased it, so it should be ready for review again. Thanks! |
Signed-off-by: Iain Macdonald <xiainx@gmail.com>
|
Thanks for the review, Derek. Can you suggest another reviewer so I can get this change approved and merged, or recommend different steps forward if not that? |
The authorization code in remotes/docker/authorizer.go currently ignores OAuth token expiration times that are provided by the issuer, instead relying on the caller to inform it of authentication failures to learn of token invalidations. This is slightly inefficient because round-trip requests to the server can be made using tokens that the client knows are expired, and requires the client to reauthorize more often that is strictly necessary. This PR tracks the token-issuer-provided expiration time along with the token itself and preemptively refreshes expired tokens when authorization requests are received for expired tokens.
I believe this the bearer auth case of #6377, though I noticed it in a slightly different context: we encountered errors streaming container images using the soci-snapshotter when these auth tokens expired and weren't refreshed correctly.
Signed-off-by: Iain Macdonald xiainx@gmail.com