How to use /bearerToken API call

Description

How do I use this API call:
https://rest-docs.synapse.org/rest/GET/bearerToken.html

but I can do:

But this doesn't seem to use the synapse authentication, i can append anything after "service" and get a token:

I have code here that gets the actual bearer token and validates that the docker image exists: https://github.com/Sage-Bionetworks/challengeutils/blob/validate-docker/challengeutils/validate_docker.py.

Environment

None

Activity

Show:
Bruce Hoff
December 24, 2019, 6:37 PM

> How do I use this API call
As stated in the page you linked, "This service is called by the Docker client only and is not for general use." So you would only use it if you are implementing a Docker client. The API that a Docker client can use is defined here: https://docs.docker.com/registry/spec/api/ and the use of the authorization token is described here: https://docs.docker.com/registry/spec/auth/token/

> I can do ... But this doesn't seem to use the synapse authentication, i can append anything after "service" and get a token
You are exploring the API by trial and error. To use the API please read the specifications linked above (or simply use an existing Docker client, like the Python Docker client).

Thomas Yu
December 24, 2019, 8:10 PM

Ah I see. I do actually already do that in the GitHub linked. I just thought this API call would potentially obtain a beartoken using synapse login credentials. Currently the workflow orchestrator passes in username and password, but ideally in the future it would pass in username and apikey for security purposes. I'm unsure if authentication would work for the docker client using the synapse API key.

Bruce Hoff
December 24, 2019, 9:11 PM
Edited

> I just thought this API call would potentially obtain a beartoken using synapse login credentials

It does! From https://docs.docker.com/registry/spec/auth/token/

From Docker 1.11 the Docker engine supports both Basic Authentication and OAuth2 for getting tokens. Docker 1.10 and before, the registry client in the Docker Engine only supports Basic Authentication.

Synapse supports only Basic Authentication today.

> Currently the workflow orchestrator passes in username and password
Yes, and the Orchestrator uses the user name and password to authenticate Docker bearer token requests. You can see it here: https://github.com/Sage-Bionetworks/SynapseWorkflowOrchestrator/blob/master/src/main/java/org/sagebionetworks/DockerUtils.java#L117

> but ideally in the future it would pass in username and apikey for security purposes. I'm unsure if authentication would work for the docker client using the synapse API key.

It does not. In the future we should change the Orchestrator to use an Oauth 2.0 access token and we should change the Synapse Docker bearer token API to accept that token to authorize requests to the Synapse Docker registry.

Also, I suggest that you write your code so that it works with any Docker registry, not just just the Synapse Docker registry.

Thomas Yu
December 26, 2019, 9:10 PM

Thanks for the suggestion!

Fixed

Assignee

Unassigned

Reporter

Thomas Yu

Labels

None

Validator

Thomas Yu

Development Area

Challenges

Release Version History

None

Priority

Major
Configure