我想以编程方式检查 docker hub 上的一些图像。我在 https://distribution.github.io/distribution/spec/auth/token/
找到了一些指导我请求如下所示的令牌。看起来有点像 OAuth2 资源所有者密码凭证流程:
curl -X GET --basic --user myself "https://auth.docker.io/token?service=registry.docker.io&scope=repository:postgres:pull"
# Enter host password for user 'myself':
回应:
{
"token":"eyJhbGciOiJS...",
"access_token":"eyJhbGciOiJS...",
"expires_in":300,
"issued_at":"2024-10-12T19:13:38.347643413Z"
}
令牌有效负载为
{
"access": [],
"aud": "registry.docker.io",
"exp": 1728760718,
"https://auth.docker.io": {
"plan_name": "free",
"username": "myself"
},
"iat": 1728760418,
"iss": "auth.docker.io",
"jti": "dckr_jti_gMe1SEuZOCWZTiagjx-U6zyLclw=",
"nbf": 1728760118,
"sub": "55b2b442-41ab-498b-843d-40d87a8593a2"
}
但它并没有授权我使用该API。我想它应该是这样的:
{
"access": [
{
"type": "repository",
"name": "postgres",
"actions": [
"pull"
]
}
],
...
}
出了什么问题?我尝试过使用个人访问令牌 (PAT) 代替我的帐户密码,但没有什么区别。
通过https://github.com/distribution/distribution/issues/1203我发现名称应该是
library/postgrespostgres有了这样的令牌,就可以执行更多请求,例如
curl --oauth2-bearer eyJhbGciO... \
-X GET \
https://registry-1.docker.io/v2/library/postgres/tags/list