Load libtrust KeyIDs from token certificate bundle #4521
Conversation
Resolves issue where legacy Key IDs were not loaded from CA bundles, necessitating use of JWKS JSON Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
There was a problem hiding this comment.
Note that what you see on the main branch and what is going to become v3 i.e. the new major release, is not guaranteed to be compatible with v2 release.
I mention this because we deprecated libtrust module due to its no longer being maintained (its been archived for over 3 years now) and in general not being any established standard per see - if you believe libtrust is a standard, please refer us to some RFC.
I mention this because your PR pulls in some code which seems to attempt to re-establish b/w compatibility with libtrust which was explicitly removed due to its not being standardised, so this PR might not be considered to be merged in.
I understand not wanting to keep libtrust code around.
I will refer you to this project's own docs and comments, where this key id format is demonstrated as required:
The maintainers of this project INTENTIONALLY chose to only support libtrust key IDs for years. Now you're executing a rug pull and intentionally breaking compatibility. Unconditionally dropping support for the libtrust KeyID format - which was required for the last decade if you wanted your auth token provider to interoperate with the distribution registry - seems like a huge negative from a migration perspective. There are already two issues and a discussion thread about it, and barely anyone is using v3 yet. What is the harm in continuing to support this? If you don't do this, you're going to get a LOT of folks wondering why their auth providers break when switching to distribution/v3. The only workarounds at the moment are to do one of:
Neither of those are documented anywhere so its left as an unpleasant surprise for folks making the switch.
Note that many folks have a common/shared auth provider that cannot easily be replaced with one that does not generate backwards compatible tokens, just to satisfy this projects desire to make a clean break from the past. https://lawsofux.com/postels-law/
|
Resolves issue where legacy Key IDs were not loaded from CA bundles, necessitating use of JWKS JSON
Fixes:
Ref: https://github.com/docker/libtrust/blob/aabc10ec26b754e797f9028f4589c5b7bd90dc20/util.go#L181-L207