API access when OIDC is configured #14958
Comments
|
@mdconner whats your use-case for a user to access the harbor api directly? for all the scenarios I can think of, a robot account would be better. |
|
This would be for external applications to interact with Harbor (automate project creation, get list of projects/repositories/images, identify image digest by tag, etc.). We have not been able to get robot accounts to login via API due to OIDC. |
|
we are using oidc and robot accounts without any auth problems with harbor 2.2. just use basic auth for robot accounts. |
|
We get a 401 error using the Robot's CLI Secret as either the Bearer Token or Basic Auth. How are credentials for a Robot to be passed in? |
steven-zou
added
area/oidc
kind/requirement
|
@mdconner You can use ID token of the user as Bearer Token to access the API |
|
Is there a way to get the ID Token from Harbor? We have not been able to get it from our OIDC system. |
|
@mdconner You should not try to get it from Harbor. |
|
We have been able to get an OAuth token and can now login via API |
Is your feature request related to a problem? Please describe.
No way for an account (except admin) to use Harbor API when OIDC is configured. We expected a User's "CLI Secret" to grant this access; but, found it is limited to docker CLI commands.
Describe the solution you'd like
Ability to login (e.g., token, basic auth) as a specific user when OIDC is configured and issue Harbor API calls for things that user has access.
Describe the main design/architecture of your solution
A means to login (CLI Secret, or other) to create a time-limited token and/or ability to pass that authentication into every Harbor API call
Describe the development plan you've considered
None - not familiar with Harbor's implementation or architecture
Additional context
This may be related to #14236 ; but started to go in other directions once tied to Robot accounts
The text was updated successfully, but these errors were encountered: