feat(distribution/rkforge): migrate rkforge login to browser OAuth an…#554
feat(distribution/rkforge): migrate rkforge login to browser OAuth an…#554genedna merged 3 commits intork8s-dev:mainfrom
Conversation
…d delegate registry auth to Web App rkforge: - Rewrite login flow to browser-based OAuth via Web App - Add local HTTP callback server (axum, 127.0.0.1:random port) - Add browser auto-open with fallback URL printing and one-time user_code display - Exchange one-time auth_code for JWT via /api/cli/exchange - Use positional [SERVER] auth endpoint (default: https://libra.tools) - Apply --skip-tls-verify to exchange requests - Persist token by registry_url returned from exchange response (with fallback resolution) distribution: - Remove /api/v1/auth/{provider}/callback and /client_id routes - Remove oauth_callback/client_id service logic and GitHub API helper code - Replace local claims extraction with Web App internal verify API - Add OCI_REGISTRY_AUTH_API_URL and INTERNAL_VERIFY_TOKEN config/env - Send X-Registry-Internal-Token on verify requests - Enforce pull/push action permission checks from verify response Signed-off-by: Xingqiu Xu <hilbertanjou83@gmail.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 885136f568
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…exchange Signed-off-by: Xingqiu Xu <hilbertanjou83@gmail.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bd85dec345
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…scheme detection Signed-off-by: Xingqiu Xu <hilbertanjou83@gmail.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6b95b97909
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| let claims = if let Some(t) = token { | ||
| Some(verify_with_web_app(&state, t, None, None, None).await) |
There was a problem hiding this comment.
populate_oci_claims calls verify_with_web_app(...) before branching on HTTP method, but authorize_repository_access then calls verify_with_web_app(...) again for repository-scoped pull/push checks on the same request. On push/pull paths this doubles network round-trips to the auth service (especially costly for chunked blob uploads with many PATCH/PUT calls), increasing latency and making registry operations fail more often under verify-service load even though one verification is sufficient.
Useful? React with 👍 / 👎.
| return Ok(s.trim_end_matches('/').to_string()); | ||
| } | ||
| // Extract host part (before port) for IP range check | ||
| let host_part = s.split(':').next().unwrap_or(s); |
There was a problem hiding this comment.
parse_server_url derives host_part via s.split(':').next(), which breaks bracketed IPv6 inputs like [::1]:7001 (the extracted host becomes "["). That makes is_private_ip return false and defaults the URL to https://[::1]:7001, so local IPv6 auth servers running over HTTP fail TLS handshake unless users manually add http://.
Useful? React with 👍 / 👎.
2 participants
rkforge:
distribution: