Credential identity mismatch between OCI artifact and blob transformers

[piotrjanik]

Context

When transferring component versions with --copy-resources, the ociArtifact transformer and the blob transformers build different credential consumer identities for the same OCI registry.

• Blob transformers use IdentityFromOCIRepository which parses the repository BaseUrl (e.g. oci://ghcr.io) and defaults port=443 and scheme=oci.
• OCI artifact transformer uses ResourceRepository.getIdentity → ParseURLToIdentity which parses the image reference (e.g. ghcr.io/repo/image:tag) and produces an identity without scheme or port since they are not present in the reference string.

A single credential entry in ocmconfig.yaml cannot satisfy both code paths — one expects hostname=ghcr.io,port=443,scheme=oci,type=OCIRepository, the other expects hostname=ghcr.io,type=OCIRepository.

The root issue is that IdentityFromOCIRepository assumes defaults for scheme and port. The credential matcher then requires an exact match on all identity attributes. Instead, identities should only contain attributes that are explicitly known, and the matcher should support partial matching — a lookup identity with fewer attributes should match credential entries with more attributes.

Version

Latest main branch + PR #1684 (feat: oci artifact cli).

To Reproduce

1. Create a component version with an ociArtifact resource:

   resources:
     - name: lib
       version: v1.0.0
       type: blob
       input:
         type: file
         path: dummy.bin
     - name: oci-image
       version: v1.0.0
       type: ociArtifact
       access:
         type: ociArtifact/v1
         imageReference: ghcr.io/my-org/my-image:latest

2. Configure ocmconfig.yaml with a single credential entry:

   type: generic.config.ocm.software/v1
   configurations:
   - type: credentials.config.ocm.software
     consumers:
     - identity:
         type: OCIRepository
         hostname: ghcr.io
         port: "443"
         scheme: oci
       credentials:
       - type: Credentials/v1
         properties:
           username: my-user
           password: my-token

3. Run:

   ocm transfer component-version --recursive --copy-resources \
     ctf::source.ctf//my-org/my-component:v1.0.0 \
     oci::oci://ghcr.io/my-org/target

Actual behavior

Blob transformers succeed (identity matches hostname=ghcr.io,port=443,scheme=oci,type=OCIRepository), but the GetOCIArtifact transformer fails with:

failed to resolve credentials for identity "hostname=ghcr.io,type=OCIRepository": credentials not found

The OCI artifact transformer produces an identity with only hostname and type (no port, no scheme), so the credential matcher does not find a match.

Expected behavior

A single credential entry for ghcr.io should work for all transformers accessing the same registry. The fix should focus on two things:

1. Identity should not assume defaults — IdentityFromOCIRepository should stop defaulting scheme and port when they are not explicitly present in the URL. Identities should only contain attributes that are explicitly known.
2. Matcher should support partial matching — a lookup identity with fewer attributes (e.g. just hostname + type) should match credential entries that have additional attributes (e.g. hostname + type + port + scheme).
   Additional Comments~ (moved to: Fix credential consumer identity issues ocm-project#916)

Relevant code paths:

• [bindings/go/oci/spec/credentials/identity/v1/type.go](https://github.com/open-component-model/open-component-model/blob/main/bindings/go/oci/spec/credentials/identity/v1/type.go) — IdentityFromOCIRepository defaults port and scheme
• [bindings/go/oci/repository/resource/resource_repository.go](https://github.com/open-component-model/open-component-model/blob/main/bindings/go/oci/repository/resource/resource_repository.go) — getIdentity uses ParseURLToIdentity (no defaults)
• [bindings/go/runtime/identity.go](https://github.com/open-component-model/open-component-model/blob/main/bindings/go/runtime/identity.go) — ParseURLToIdentity only sets attributes explicitly present in URL

Related: PR #1684

[Skarlso]

@piotrjanik Agreed that we need something actionable, so let's talk about this and figure out a possible expected outcome of this.

[frewilhelm]

@piotrjanik Please split the issue in two, combined with open-component-model/ocm-project#916 (which needs to be split as well)

[frewilhelm]

@fabianburth please include the relevant parts from this issue into yours open-component-model/ocm-project#916