Skip to content

Add auth headers to request when using BasicAuth#215

Open
corin33 wants to merge 1 commit intooras-project:mainfrom
corin33:fix-header-for-basic-auth
Open

Add auth headers to request when using BasicAuth#215
corin33 wants to merge 1 commit intooras-project:mainfrom
corin33:fix-header-for-basic-auth

Conversation

@corin33
Copy link
Copy Markdown

@corin33 corin33 commented Jun 26, 2025

Problem

I'm currently using oras-py as client library for a Zot OCI registry. In my current (rather simple) setup, I'm only using BasicAuth with username and password, no TokenAuth.
I noticed that when pushing a blob (by calling registry.upload_blob()), there is no authentication header, and thus Zot sometimes rejects the push.
I say sometimes, because other times Zot seems fine without the auth header, and accepts the push. It's really hard to debug...
When adding the auth header to every request, Zot is happy.

I saw that there's a test for pushing using basic auth oras/tests/test_oras.py#L168 which I would expect to fail as well, so I really don't know...

Proposed Solution

Add the auth headers to the request, just like it's done with TokenAuth.

NB: I have no clue if this is the right way, or if I'm misusing oras-py and should solve this a completely different way

Steps to reproduce

my client script essentially looks like this:

registry = Registry(hostname=host, tls_verify=tls_verify, auth_backend="basic")
res = registry.login(hostname=HOSTNAME, username=USERNAME, password=PASSWORD, tls_verify=false)
assert res["Status"] == "Login Succeeded"
container = oras.container.Container(f"{ HOSTNAME }/{ ARTIFACT }")

[...]
layer = oras.oci.NewLayer(elem.path, is_dir=False)
layer["annotations"] = {oras.defaults.annotation_title: str(elem.name)}

registry._check_200_response(registry.upload_blob(elem, container, layer))
[...]

relevant parts of Zot configuration:

  "http": {
    "address": "0.0.0.0",
    "port": "8080",
    "compat": ["docker2s2"],
    "realm": "zotserver",
    "tls": {
      "cert": "/etc/zot/server_san.crt",
      "key": "/etc/zot/server.key"
    },
    "auth": {
      "htpasswd": {
        "path": "/etc/zot/htpasswd"
      },
      "failDelay": 5
    },
    "accessControl": {
      "groups": {
        "admins": {
          "users": ["corin"]
        },
        "readers": {
          "users": ["githubrunner_read",]
        }
      },
      "repositories": {
        "**": {
          "policies": [{
              "groups": ["readers"],
              "actions": ["read"]
            },
            {
              "groups": ["admins"],
              "actions": ["read", "create", "update", "delete"]
            }]
        }
      }
    }
  },

@corin33
Add auth headers to request when using BasicAuth
b29ec98 
Signed-off-by: corin <corin@duckster.net>
vsoch
vsoch reviewed Jun 26, 2025
View reviewed changes
Comment thread oras/provider.py

# Make the request and return to calling function, but attempt to use auth token if previously obtained
if isinstance(self.auth, oras.auth.TokenAuth) and self.auth.token is not None:
if (
Copy link
Copy Markdown
Contributor

@vsoch vsoch Jun 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think generally speaking we want to add auth headers only after the registry requests it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vsoch vsoch vsoch left review comments

@SteveLasker SteveLasker Awaiting requested review from SteveLasker SteveLasker is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@corin33 @vsoch