OCI Authentication and Authorization Working Group
Dial by your location
+1 646 558 8656 US (New York)
+1 669 900 6833 US (San Jose)
877 369 0926 US Toll-free
855 880 1246 US Toll-free
Meeting ID: 644 941 5895
Find your local number: https://zoom.us/u/aLDk4OXTu
template at the bottom
May 7, 2024 - TBD
Canceled future meetings pending progress on submitting proposals.
April 30, 2024
Recording: https://youtu.be/aDVFgvpJIb8
Attendees
- Brandon Mitchell
- Nathan Anderson
Notes
- No updates, ended the meeting early
April 23, 2024
Canceled
April 16, 2024
Canceled for OSSummit
April 9, 2024
Canceled
April 2, 2024
Recording: https://youtu.be/MBDk1D6j_vM
Attendees
- Brandon Mitchell
- Nathan Anderson
- Jeff Carter
- add yourself
Notes
- No updates, ended the meeting early
March 26, 2024
Recording: https://youtu.be/eNscSLlzobE
Attendees
- Brandon Mitchell
- Nathan Anderson
- Jeff Carter
- Sajay Antony
- add yourself
Notes
- Quick checkin, next steps would be creating proposals in the wg-auth repo once people have free time.
March 19, 2024
Canceled - KubeCon EU
March 12, 2024
Canceled - no agenda
March 5, 2024
Recording: https://youtu.be/3DEm5Nd07Tg
Attendees
- Nathan Anderson
- Brandon Mitchell
- Victor Lu
- Jeff Carter
- Ramkumar Chinchani
- add yourself
Notes
- No agenda, meeting ended early.
February 27, 2024
Recording: https://youtu.be/5B4F9CLJfBo
Attendees
- Brandon Mitchell
- Ramkumar Chinchani
- Sajay Antony
- Jeff Carter
- Nathan Anderson
- add yourself
Notes
- No agenda, meeting ended early.
February 20, 2024
Recording: https://youtu.be/J3Ms2qM8uMM
Attendees
- Brandon Mitchell
- Nathan Anderson
- Sajay Antony
- add yourself
Notes
- No agenda, meeting ended early.
- Current focus of the maintainers is working through image and distribution spec backlogs after the 1.1.0 releases.
February 13, 2024
Recording: https://youtu.be/4UmmL3Fyp74
Attendees
- Brandon Mitchell
- Nathan Anderson
- Sajay Antony
- Ramkumar Chinchani
- Toddy
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
February 6, 2024
Recording: https://youtu.be/V33E4iidKPE
Attendees
- Toddy
- Brandon Mitchell
- Nathan Anderson
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- Toddy continues work on reviewing existing registry implementations.
- add your notes
January 30, 2024
Recording: https://youtu.be/FgZNM0ybrxY
Attendees
- Brandon Mitchell
- Syed Ahmed
- Nathan Anderson
- Jeff Carter
- Toddy
- Sajay Antony
- Ramkumar Chinchani
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
January 23, 2024
Recording: https://youtu.be/DbwZoaPf7Y0
Attendees
- Brandon Mitchell
- Toddy
- Nathan Anderson
- Syed Ahmed
- Jeff Carter
- Ramkumar Chinchani
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- Toddy asked about reusing a token
- Ended early due to lack of agenda
- add your notes
January 16, 2024
Recording: https://youtu.be/u7-KVNFXtX0
Attendees
- Brandon Mitchell
- Nathan Anderson
- Jeff Carter
- Ramkumar Chinchani
- Sajay Antony
- Syed Ahmed
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- Auth scopes for cross repo actions like search
- Quay and Docker Hub allows global actions but only to public repos
- Adding search to private repos may not be supported by most registries
- Some registries are looking at wildcard or prefix options for access to an organization
- Browser use case
- CORS issues
- Desire to implement something like https://explore.ggcr.dev/ within the browser rather than on a server
- Registries that want to allow any client would need to allow a
* origin
- add your notes
January 9, 2024
Recording: https://youtu.be/nGn2T4OMjug
Attendees
- Brandon Mitchell
- Jeff Carter
- Ramkumar Chinchani
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- Not much this week
- Brandon will work on submitting a PR for added use cases.
- add your notes
December 19, 2023
Recording: https://youtu.be/iH2h067qf9M
Attendees
- Brandon Mitchell
- Jeff Carter
- Victor Lu
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- Canceled next two meetings, resuming on January 9th.
- Brandon will work on pushing a PR to the use cases doc.
- add your notes
December 12, 2023
Recording: https://youtu.be/0E_xnI_-17c
Attendees
- Brandon Mitchell
- Nathan Anderson
- Syed
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
December 5, 2023
Recording: https://youtu.be/A_Hf18A0dxw
Attendees
- Ramkumar Chinchani
- Nathan Anderson
- Victor Lu
- Jeff Carter
- Brandon Mitchell
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- Reviews for PRs are needed.
- add your notes
November 28, 2023
Attendees
- Brandon Mitchell
- Lindsey Albery
- Nathan Anderson
Notes
November 21, 2023
Recording: https://youtu.be/IdjU7h73ZpE
Attendees
- Wayne
- Brandon Mitchell
- Victor Lu
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- Device authentication / zero trust discussion:
November 14, 2023
Recording: https://youtu.be/iJ36wUIXyQs
Attendees
- Lindsey Albery
- Bjorn Neergaard
- Nathan Anderson
- Brandon Mitchell
- Toddy
- Jeff Carter
- Mike Brown (IBM)
- Ramkumar Chinchani
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- Discussing scenarios:
- From the WG proposal:
- Define registry responses to unauthenticated requests.
- Define supported authentication methods (e.g. basic and bearer authentication).
- Specify how clients negotiate access a repository and different types of access to that repository (e.g. pull and push).
- Specify how clients negotiate access to multiple repositories for actions like a cross-repository blob mount.
- Specify how clients and registries should renegotiate access for a request with expired or insufficient authorization.
- Specify expected lifetime of registry credentials.
- Avoid specifications that would prevent future extensibility (e.g. fine grain access control).
- The authentication methods defined as supported should include OSS solution(s) that avoid picking/choosing a limited set of specific authentication providers as the default / winner.
- Specify how clients and registries should be extensible/pluggable with respect to supported authentication methods.
- Pull (head) followed by a push
- First token is for a pull scope
- On push: registry needs to send a 401 for a new scope rather than 403 of refused / insufficient scope
- Should clients or servers track a forbidden scenario?
- Servers may not track missing scopes today, but could be added
- Clients know the scopes they've requested, but gets away from oauth 2.0 spec design
- Cross repository blob mount
- Do clients request both push to target and pull from source, or only push?
- More research needed
- URL redirect
- Should auth header exist in redirect? No
- URL will typically include any auth (if needed) from the remote server
- Delete access
- Should client generated action be pull or delete?
- This assumes we define client generated scopes.
- Oauth spec: https://datatracker.ietf.org/doc/html/rfc6750
- add your notes
November 7, 2023
Recording: https://youtu.be/vTS29GuEbms
Attendees
- Ethan Hill
- Wayne
- Bjorn Neergaard
- Nathan Anderson
- Brandon Mitchell
- Ramkumar Chinchani
- Jeff Carter
- Wayne
- Victor Lu
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
- regclient implementation: https://github.com/opencontainers/wg-auth/pull/8
- Future plans:
- containerd will hopefully have a write-up in the next week or so
- gather a list of difficult auth questions we should resolve (pull then push, multi-repository access, etc)
Notes
October 31, 2023
Recording: https://youtu.be/BfKUHT5z1jM
Attendees
- Sajay Antony
- Nathan Anderson
- Ramkumar Chinchani
- Brandon Mitchell
- Jeff Carter
- Wayne
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
October 24, 2023
Recording: https://youtu.be/Mev5v_8dia4
Attendees
- Nathan Anderson
- Victor Lu
- Brandon Mitchell
- Sajay Antony
- Ramkumar Chinchani
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- No implementation docs ready this week
- Potential issues:
- 307(redirect) should not include credentials in header, but may need them in the redirect URL
- how do servers know when a client has requested and failed to get access to a specific repo (vs reuse the token from a different repo and need to reauth)
- add your notes
October 17, 2023
Recording: https://youtu.be/3v1IVQPffRk
Attendees
- Toddy
- Wayne Warren
- Sajay Antony
- Ramkumar Chinchani
- Brandon Mitchell
- Jeff Carter
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- No implementation docs ready this week, ended early
October 10, 2023
Recording: https://youtu.be/Pnzh8UDErBM
Attendees
- Brandon Mitchell
- Sajay Antony
- Nathan Anderson
- Victor Lu
- Wayne
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
October 3, 2023
Recording: https://youtu.be/5Xis39EWfvE
Attendees
- Nathan Anderson
- Ramkumar Chinchani
- ToddySM
- Sajay Antony
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
September 26, 2023
Recording: https://youtu.be/IAVvalKd9xU
Attendees
- Toddy
- Nathan Anderson
- Jeff Carter
- Brandon Mitchell
- Sajay Antony
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- Reviewed moby workflow, expect containerd to look very different
- Question on how clients handle requests to multiple repositories when they have auth token for only one (should they request a new token)
- Action: make workflows for:
- Containerd (Nathan)
- ORAS (Sajay will request from the team, expect 3-4 weeks)
- regclient (Brandon, will not be here next week)
- add your notes
September 19, 2023
Recording: https://youtu.be/u9hWTd30nsM
Attendees
- Brandon Mitchell
- Sajay Antony
- Nathan Anderson
- Márk Sági-Kazár
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
- Short review of Moby calling the /v2/ ping
- Brandon will work on documenting some client's existing workflows as PRs
- add your items
Notes
September 12, 2023
Recording: https://youtu.be/QqUGPirVioM
Attendees
- ToddySM
- Nathan Anderson
- Sajay Antony
Actionable Agenda Items
Presentation/Discussion Agenda Items
- Discussion on creating some documentations of various registries (toddysm)
- Introspection of the WWW-Authenticate challenge header (Nathan)
- add your items
Notes
September 5, 2023
Recording: https://youtu.be/2dz977xVuyE
Attendees
- Bradon Mitchell
- Ramkumar Chinchani
- Nathan Anderson
- Jeff Carter
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
- Could we add docker authentication specifications as a proposal? [sajay]
- Does seem like a place to start with, maybe a single doc.
- add your items
Notes
- Deferred to next week: look at containerd / distribution / moby code with the v2 ping and the workflow to generate scopes.
- add your notes
August 29, 2023
Recording: https://youtu.be/3JN0RXRcqII
Attendees
- Brandon Mitchell
- Sajay Antony
- Jeff Carter
- Ramkumar Chinchani
- Nathan Anderson
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
August 22, 2023
No agenda, canceled
August 15, 2023
Recording: https://youtu.be/xDSYtigDmC0
Attendees
- Brandon Mitchell
- Jeff Carter
- Ramkumar Chinchani
- TodySM
- Victor Lu
- Nathan Anderson
- Sajay Antony
- Aviral Takkar
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- Brainstorming - would cloud providers and others adopt proposals from here.
- Potentially add a conformance test
- Make additions to the conformance test.
- Will we need a security review?
- OCI may not have the resources, but registry servers should
- Existing specs listed in PR 3: https://github.com/opencontainers/wg-auth/pull/3/files
- Next steps?
- Create a diagram of existing workflow with the docker spec
- Survey of existing tools and their processes
- add your notes
August 8, 2023
Recording: https://youtu.be/lzMrS7nYfZg
Attendees
- Aviral
- Brandon Mitchell
- Jeff Carter
- Mike Brown (IBM)
- Nathan Anderson
- Ramkumar Chinchani
- ToddySM
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
- How to handle disagreements in the WG
- Hopefully we won't have many
- Everything we create goes through various approvals upstream.
- Separate the use cases by current capabilities vs future features
- Use Cases:
- Permissions to access
_catalog
- How to filter out repos from list you do not have access to
- How to query limited private scope
- UI authentication vs client tooling/CLI workflow
- Different types of credentials (passwords, tokens)
- Authentication to extensions in the registry (not only push/pull)
- Authentication for anything that is not specific to a repository
- Pull/push an image
- Cross repository blob mount
- Long running clients (registry mirroring, caches)
- Timeout of stale credentials
- Accessing multiple repositories
- Multi-tenant clients
- Encryption/decryption images/artifacts
- CDN integration
- Various auth methods (token, basic)
- Artifact scanning and signing
- Certificate authority
- Mutual TLS
- Auth to the tag level, e.g. embargoed fixes
- HTTP redirection (when should client allow?)
- Anonymous access
- Will we create a library in OCI?
- Existing Specs
August 1, 2023
Recording: https://youtu.be/2SOCMLIdg10
Attendees
- Brandon Mitchell
- Jason Hall
- Aviral Takkar
- Jeff Carter
- Sajay Antony
- Josh Dolitsky
- Nathan Anderson
- Victor Lu
- Vincent Batts
- add yourself
Actionable Agenda Items
Presentation/Discussion Agenda Items
- Discuss what the participants would like to see out of this group
- Procedural questions
- Where to iterate and file issues etc.
- add your items
Notes
Template
Meeting Date
Attendees
Actionable Agenda Items
Presentation/Discussion Agenda Items
Notes
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe