feat: add token authentication with keycloak (#167)

Author: Joxit

examples/token-auth-keycloak/.gitignore

@@ -0,0 +1,2 @@
+data/registry/
+data/keycloak/

examples/token-auth-keycloak/README.md

@@ -0,0 +1,137 @@
+# Token Authentication with Keycloak
+
+In this example, we'll see how to configure your keycloak server and use token authentication with your registry. This will use the [docker registry v2 token authentication protocol](https://docs.docker.com/registry/spec/auth/token/).
+
+![token protocol](https://docs.docker.com/registry/spec/images/v2-registry-auth.png)
+
+In this image, we will replace the docker client/daemon by the Docker Registry UI. Here are the steps:
+
+1. Attempt to get a resource (catalog, image info, image delete) with the registry.
+2. If the registry requires authorization it will return a `401 Unauthorized` HTTP response with information on how to authenticate.
+3. The **docker registry ui** makes a request to **keycloak** for a Bearer token.
+    1. Your browser will use the [Basic Access Authentication Protocol](https://en.wikipedia.org/wiki/Basic_access_authentication#Protocol). But keycloak does not support this protocol... That's why we need a nginx proxy on top of keycloak.
+    2. Your proxy will receive a request on `/auth/realms/{realm name}/protocol/docker-v2/auth` without `Authentication` header. It will return a `401 Unauthorized` HTTP response with `WWW-Authenticate` header.
+    3. Your browser will ask you your credentials.
+    4. The proxy will pass the credentials to keycloak.
+4. Keycloak returns an opaque Bearer token representing the client’s authorized access.
+5. The **docker registry ui** retries the original request with the Bearer token embedded in the request’s Authorization header.
+6. The Registry authorizes the client by validating the Bearer token and the claim set embedded within it and begins the session as usual.
+
+:warning: If you are configuring from scratch your own keycloak server, remove files in `data` folder first with certificates in `conf/registry/localhost.*` 
+
+## Configure your nginx/proxy server
+
+I will highlight required configuration for Basic Access Authentication Protocol. Replace the `{realm name}` by the name of your realm. In my example the realm is master, but you should create your own realm for your users.
+
+```nginx
+  resolver 127.0.0.11 valid=30s;
+  set $keycloak "http://keycloak:8080";
+
+  # Location to get keycloak token 
+  location /auth/realms/{realm name}/protocol/docker-v2/auth {
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Host               $host;
+    proxy_set_header X-Forwarded-Host   $host;
+    # By default, keycloak returns 400 instead of 401, we need to change that
+    if ($http_authorization = "") {
+      add_header WWW-Authenticate 'Basic realm="Keycloak login"' always;
+      return 401;
+    }
+    proxy_pass $keycloak;
+  }
+```
+
+Start your nginx server. It will be available on http://localhost/ in my example.
+
+```sh
+docker-compose up -d proxy
+```
+
+## Configure your keycloak server
+
+I will highlight required configuration for docker protocol. You will need to add this option to your keycloak command line:
+
+```
+-Dkeycloak.profile.feature.docker=enabled
+```
+
+Then the defalt user can be configured via environment variables
+```yml
+services:
+  keycloak:
+    image: jboss/keycloak
+    environment:
+      KEYCLOAK_USER: admin
+      KEYCLOAK_PASSWORD: password
+    user: root
+    networks:
+      - registry-ui-net
+    command: -Dkeycloak.profile.feature.docker=enabled -b 0.0.0.0
+```
+
+Now you can start your keycloak server, it will be available on http://localhost/auth in my example.
+
+
+```sh
+docker-compose up -d keycloak 
+```
+
+Now you need to configure your docker client with these steps:
+
+Go to the keycloak home page: http://localhost/auth and click on `Administration Console`.
+
+![keycloak-home](https://raw.github.com/Joxit/docker-registry-ui/main/examples/token-auth-keycloak/images/01-keycloak-home.png)
+
+Sign in with your login and password (in my example it's `admin` and `password`).
+
+![keycloak-home](https://raw.github.com/Joxit/docker-registry-ui/main/examples/token-auth-keycloak/images/02-keycloak-signin.png)
+
+Go to `Clients` in the left side menu.
+
+![keycloak-home](https://raw.github.com/Joxit/docker-registry-ui/main/examples/token-auth-keycloak/images/03-keycloak-to-clients.png)
+
+Create a new client.
+
+![keycloak-home](https://raw.github.com/Joxit/docker-registry-ui/main/examples/token-auth-keycloak/images/04-keycloak-create-client.png)
+
+Enter a name for `Client ID`, choose `docker-v2` as the `Client Protocol`, and click `Save`.
+
+![keycloak-home](https://raw.github.com/Joxit/docker-registry-ui/main/examples/token-auth-keycloak/images/05-keycloak-new-client.png)
+
+Navigate to `Installation` tab, choose `Docker Compose YAML` as `Format Option` and click `Download`
+
+![keycloak-home](https://raw.github.com/Joxit/docker-registry-ui/main/examples/token-auth-keycloak/images/06-keycloak-download.png)
+
+When you extract the archive, the resulting directory should look like this.
+
+```
+keycloak-docker-compose-yaml
+├── certs
+│   ├── localhost.crt
+│   ├── localhost.key
+│   └── localhost_trust_chain.pem
+├── data
+├── docker-compose.yaml
+└── README.md
+```
+
+Copy all the files from `certs` folder to `conf/registry` (this will replace files generated for this example).
+
+## Configure your registry server
+
+The last step is the configuration of your registry server. The config file is located in `conf/registry/config.yml`. The import part of the configuration is `auth.token` where you need to set `realm`, `service`, `issuer` and the `rootcertbundle` from the previous archive.
+
+```yml
+auth:
+  token:
+    realm: http://localhost/auth/realms/{realm name}/protocol/docker-v2/auth
+    service: docker-registry
+    issuer: http://localhost/auth/realms/{realm name}
+    rootcertbundle: /etc/docker/registry/localhost_trust_chain.pem
+```
+
+Now you can start your docker registry with your docker registry ui.
+
+```sh
+docker-compose up -d registry ui
+```

examples/token-auth-keycloak/conf/proxy/nginx.conf

@@ -0,0 +1,78 @@
+server {
+    listen       80;
+    server_name  localhost;
+    resolver 127.0.0.11 valid=30s;
+
+    set $keycloak "http://keycloak:8080";
+    set $registry "http://registry:5000";
+    set $ui "http://ui";
+
+
+    #charset koi8-r;
+    #access_log  /var/log/nginx/host.access.log  main;
+
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+    chunked_transfer_encoding on;
+    # required for strict SNI checking: see Issue #70 (https://github.com/Joxit/docker-registry-ui/issues/70)
+    proxy_ssl_server_name on;
+    proxy_buffering off;
+    proxy_ignore_headers "X-Accel-Buffering";
+
+    location /v2 {
+      # Do not allow connections from docker 1.5 and earlier
+      # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+      if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+          return 404;
+      }
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host               $host;
+      proxy_set_header X-Forwarded-Host   $host;
+      proxy_pass $registry;
+    }
+
+    location /auth {
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host               $host;
+      proxy_set_header X-Forwarded-Host   $host;
+      proxy_pass $keycloak;
+    }
+
+    location /auth/realms/master/protocol/docker-v2/auth {
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host               $host;
+      proxy_set_header X-Forwarded-Host   $host;
+      if ($http_authorization = "") {
+        add_header WWW-Authenticate 'Basic realm="Keycloak login"' always;
+        return 401;
+      }
+      proxy_pass $keycloak;
+    }
+
+    location /ui {
+      proxy_pass $ui;
+    }
+
+    location / {
+      root   /usr/share/nginx/html;
+      index  index.html index.htm;
+    }
+
+    #error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+    # deny access to .htaccess files, if Apache's document root
+    # concurs with nginx's one
+    #
+    #location ~ /\.ht {
+    #    deny  all;
+    #}
+}

examples/token-auth-keycloak/conf/registry/config.yml

@@ -0,0 +1,27 @@
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  delete:
+    enabled: true
+  cache:
+    blobdescriptor: inmemory
+  filesystem:
+    rootdirectory: /var/lib/registry
+http:
+  addr: :5000
+  headers:
+    X-Content-Type-Options: [nosniff]
+    Access-Control-Allow-Origin: ['http://localhost']
+    Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
+    Access-Control-Allow-Headers: ['Authorization', 'Accept']
+    Access-Control-Max-Age: [1728000]
+    Access-Control-Allow-Credentials: [true]
+    Access-Control-Expose-Headers: ['Docker-Content-Digest']
+auth:
+  token:
+    realm: http://localhost/auth/realms/master/protocol/docker-v2/auth
+    service: docker-registry
+    issuer: http://localhost/auth/realms/master
+    rootcertbundle: /etc/docker/registry/localhost_trust_chain.pem

examples/token-auth-keycloak/conf/registry/localhost.crt

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICmzCCAYMCBgF3SzuJuTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0
+ZXIwHhcNMjEwMTI4MjMwMDI5WhcNMzEwMTI4MjMwMjA5WjARMQ8wDQYDVQQDDAZt
+YXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCliGzyYtDTTmaj
+QYso8nxIY2tO5ITnRbgDQIXMuAY5HMv2XglT2zSHJNfC/HYSilZPSd8Ee/0oxm/q
+On1Al3JENx21txUWOBe48CVzLlIYlUnIXqaFh0YyL6feUZaDKg1YSVGhSzHDI57X
+DcfnR+g0V5QxzIKzK624Lw7vqGvZz5e9sS9mTn9EZUmqQRQBerB5qrPnuDLxEbj4
+LPxqjuFyKQ4g8wooYlBNSFruRas3TpG/90Xy15pa9a3ofiVPZCt3IoaQGPw4Ah3O
+ygnelgEhWNRwROx4dErmW2l7dUQP8dbSz+qI4g04Wx3GjnZAlY7mt7LG8OncavsA
+Gp52m8QrAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGvqPm9nmEMfGYjWN6JlnM2x
+/YkKzvH6B+IeXz/j2bXKZqQoQ1up62HNM4e3GKSw/51Lge6QXqgOZmFSHABev8EV
++vzDMfRLjBfV1RmhZXYCh6nje0d61jAa0Sn6CfsUllIQRt3Hn67qzPk1d6SnKSHA
+tsbh5+pCDivfJBRm7sJCv1y9dPP1rlaxAOZrVU8LEsJlTP3D0OScrDQv09CVonwi
+4W2bnLcB6aPW5Fw3gyY4TtXfcQzQqbV5Gjs9EZNA6Vczu+80U14T4VD9CDgC8yky
+2KY2pGClWEjM+dJnZ0440wXuGK/lJEN41SzfKxyfCBTJVebwOXsqsyonYYK8Pxo=
+-----END CERTIFICATE-----

examples/token-auth-keycloak/conf/registry/localhost.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCliGzyYtDTTmaj
+QYso8nxIY2tO5ITnRbgDQIXMuAY5HMv2XglT2zSHJNfC/HYSilZPSd8Ee/0oxm/q
+On1Al3JENx21txUWOBe48CVzLlIYlUnIXqaFh0YyL6feUZaDKg1YSVGhSzHDI57X
+DcfnR+g0V5QxzIKzK624Lw7vqGvZz5e9sS9mTn9EZUmqQRQBerB5qrPnuDLxEbj4
+LPxqjuFyKQ4g8wooYlBNSFruRas3TpG/90Xy15pa9a3ofiVPZCt3IoaQGPw4Ah3O
+ygnelgEhWNRwROx4dErmW2l7dUQP8dbSz+qI4g04Wx3GjnZAlY7mt7LG8OncavsA
+Gp52m8QrAgMBAAECggEAS7VHztwvElXrT4Ost/+fpCQEckLGHlievq4GBAmunvRy
+vK1pqra5IY5SOFXrUrN+oijxHUXwFXQcv44ctywNEPH8Xp3rwQvKncUH+9QVrDSr
+WD8h/jROgKmXJ3E9W6QiEl0GPrT7f3qNLWKaKUeUBkx/9P7KUFQL0g+Dz0zCdw1k
+wzJNE+tJgspeInlgylmXsuT2A0lPkIDq6uxZY/yhaEG03dytX12Mmg5VcfIzjLWB
+cF0hKDbb+Pmu+tWbLHEwHg00Qj3k7Y21u9DrHRC0uBYrVsytSxDIuayRfwskAcIm
+fyMNAYVtOQxzdaDm2OTT0SAZJOOxa+ZYMGToEzzFcQKBgQDTp961U0RAlbfygA4a
+IDxSvLDaIQ1pZuDzHwm/8b7SNGWiTSCjSWXZFd35rOXian53u69ey61ZTIAyv1sQ
+c7R1yCfyg8YUTWZLbl1s5Bb+ekh64WEaMmf+eChcegsXt/kW/wQKM9DLRMAM4v5Q
+9g3VEMH5xuFdGRa2AwDVZrRB5wKBgQDINsNkPgxMq+B1GfnT6PpuyAWlb7GuUENc
+yAucIBMGKdY8QlwnQmAaKPTl1t/MFsiiwUhRJiyXurG+skd3BmMPdACWnXa7nKBW
+XoXM6MRhS1QrDds6hid1usO86fB50UhupSr3tkHdeWy8l1erll/rhrParSyer1iK
+AjLfwx2rHQKBgQCaGTehpv0jVJ43tZoO1Xd1+aF9PuFH4zpWaDut/zEiVDnHAAaK
+O+8mLbCOjp5UyZpITGKzTvFn+bXAvOdtRACYXGERRXWa5Htc4f6tQCepoZhRtvP+
+ocJrWEpygfy/iReW8ZacYvtaczSsbTwh7/NENE42L+F26cRKQkeCF6OX8wKBgQDF
+Y1hXp+SwYnO0f5uSlIryVTlb1TazyGXhP0hS8DxRQ0X3uuTnv8THhcGMJ8AUkhHU
+hAIsHxqvrFw4ycMzUZSwU4mQ9EVuygg5no8DaijSU1Xz7IFKvaCBrVP1GB8BupdS
+nnwyI/njxCaz9/FzNZnztqXy3fCzseP0jB5kBRVm8QKBgEDbzlXPdF5Jr4mb3+Pt
+hqhAP1Swx2vwIyooDqhP0D5nUV1EDJ6Hqwb6L9R0Apt2gLW0YD1ETh9TsqUOWbIm
+kiE9IDHZFbtBj014clx3if6snKarrjaHQJ9THzB5uwtv8b3/k81T/IyAnPmXobQx
+Rrw+6hjfOdQsT90raYyhRWWx
+-----END PRIVATE KEY-----

examples/token-auth-keycloak/conf/registry/localhost_trust_chain.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICmzCCAYMCBgF3SzrlgjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0
+ZXIwHhcNMjEwMTI4MjI1OTQ3WhcNMzEwMTI4MjMwMTI3WjARMQ8wDQYDVQQDDAZt
+YXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHFs8UdWQrDZ/K
+RMvX/bu4SYa4fq38OHCu/ci8c/Vjuz8A4TI6hn84i82WLdHsiXpi4PO4YnGxTxHF
+vI8cAarLW2aYv8ZK81YP63kPUMGS3dMtQE8CRTAtHBOVXrxp6ab18kTeQZ/KxiXy
+nQM4rM7nSy+zoCY1AcPAvzLz0uqD/D8jBvsR90mrnHGrS2cJZCvaKkwfpMddUBOv
+qnlrDjiv0T5PE0fShvZWlUJn4tVhjwXGv6Nu32o87BnEE+6LoQek8YqaXohQLE3V
+MVFOHnxmCr7JwMk1Cdr+R2WyHleeC+FTL+O+kcpAzz9DIAhhUs2bHMR2OJAP3l4X
+PfPPGeWhAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIy0ru1wK6HTqO2UrNxa/Yqa
+GXdppS5tj2ssivKBqTc88TK2n8ORUyVVDeGVvicgASkru7ZjepR6APhdDG5Gy44x
+xnj/207txc6YXz+TS/2JO5SMNWrwQCwmjT9Ld4HtjEzzxt3O7tGUmSpRIAoRo4Zy
+gpaGuiHvJ0twhZWwcFS4sEYuGfF3uQ+hR2MQuSVm9El6GihY6c7dpv7E5GL71dDm
+VPjuN9/rkxEUvFl0EHZByfUpqXnVhujEDgw8eSyOleIFNJ0vEKKJRnbwcIi2SQ2z
+zPZjXKdr03R7YukmdMV5X7Swn7ehwF6AJijw6zpCoKcaiOQYexGMXxasK2xXw90=
+-----END CERTIFICATE-----

examples/token-auth-keycloak/data/keycloak/kernel/process-uuid

@@ -0,0 +1 @@
+cc04bebe-cb07-4384-b886-3670f757fd2e