feat: handle Docker Bearer token auth for upstream registries #60

Merged
benvin merged 1 commits from benvin/docker-token-auth into master 2026-06-27 00:18:07 +10:00
Owner

Docker Hub (and other registries) return 401 with a Www-Authenticate: Bearer realm=... challenge even for public images. The proxy now:

  1. Detects 401 + Bearer challenge
  2. Parses realm/service/scope from the header
  3. Fetches an anonymous token (or authenticated if username/password configured)
  4. Retries the original request with the Bearer token

Fixes: docker pull artifactapi.../dockerhub/library/redis:latest returning "unauthorized: upstream returned 401"

Docker Hub (and other registries) return 401 with a `Www-Authenticate: Bearer realm=...` challenge even for public images. The proxy now: 1. Detects 401 + Bearer challenge 2. Parses realm/service/scope from the header 3. Fetches an anonymous token (or authenticated if username/password configured) 4. Retries the original request with the Bearer token Fixes: `docker pull artifactapi.../dockerhub/library/redis:latest` returning "unauthorized: upstream returned 401"
unkinben added 1 commit 2026-06-27 00:15:49 +10:00
feat: handle Docker Bearer token auth for upstream registries
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
06de57030e
When an upstream registry returns 401 with a Www-Authenticate: Bearer
challenge, the proxy now fetches an anonymous (or authenticated) token
from the auth endpoint and retries the request.

This fixes Docker Hub pulls which require token exchange even for
public images.
benvin merged commit 8ec7de50e3 into master 2026-06-27 00:18:07 +10:00
benvin deleted branch benvin/docker-token-auth 2026-06-27 00:18:07 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/artifactapi#60