Unable to authenticate against the OpenShift internal registry using a token.

The .NET SDK can't authenticate against the OpenShift image when the `auth.json` has an `auth` that starts with `<token>:`.

This case is treated special here:

https://github.com/dotnet/sdk/blob/3390aa48419e70e714ce0504983afc166e598644/src/Containers/Microsoft.NET.Build.Containers/AuthHandshakeMessageHandler.cs#L321-L323

The use of the `Bearer` scheme is causing the authentication to fail. When I change it to `Basic` (that is: removing the special case) then the authentication works.

With podman debug logging, there is a single GET call to the realm uri. I assume it immediately goes for the Basic auth.
```
DEBU[0000] GET https://<registry>/v2/ 
DEBU[0000] Ping https://<registry>/v2/ status 401 
DEBU[0000] GET https://<registry>/openshift/token?account=%3Ctoken%3E&scope=repository%3Atdeseyn-dev%2Fdotnet-runtime%3Apull 
DEBU[0000] Increasing token expiration to: 60 seconds   
DEBU[0000] GET https://<registry>/v2/tdeseyn-dev/dotnet-runtime/manifests/8.0 
```

@baronfel can we make the .NET 9 SDK capable of supporting this scenario by also trying basic auth for `<token>`? I can work on a PR.

For .NET 10, perhaps we can take a closer look at how `docker` and `podman` do the auth and try to mimic their behavior?

cc @omajid 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to authenticate against the OpenShift internal registry using a token. #43319

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	var header = privateRepoCreds.Username == "<token>"
	? new AuthenticationHeaderValue(BearerAuthScheme, privateRepoCreds.Password)
	: new AuthenticationHeaderValue(BasicAuthScheme, Convert.ToBase64String(Encoding.ASCII.GetBytes($"{privateRepoCreds.Username}:{privateRepoCreds.Password}")));