harbor: 401 Unauthorized on some API endpoints when using OIDC

Expected behavior and actual behavior

I expect to be able to access all API endpoints that my user has access to via e.g. curl, using my CLI secret for authentication.

However, when using an OIDC user account, I cannot access some endpoints:

I can GET the list of projects, but I cannot GET a specific project.
I can GET the list of repositories in a project, but I cannot GET a specific repository.
I can GET the list of artifacts in a repository, but I cannot GET a specific artifact (or e.g. its vulnerabilities).

Specifically, when using curl, I get a 401 response with this body:

{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized"}]}

I can access all endpoints with curl using a robot account or the admin account (which do not use OIDC).

I can also access all endpoints in the web GUI and the API Explorer (/devcenter-api-2.0) using my OIDC account.

Steps to reproduce the problem

HARBOR_USERNAME="bob"
 HARBOR_PASSWORD="…"
HARBOR_URL="https://example.com"
HARBOR_PROJECT="foo"
HARBOR_REPO="bar"
HARBOR_TAG="baz"
API_PATHS=(
    "/projects"
    "/projects/${HARBOR_PROJECT:?}"
    "/projects/${HARBOR_PROJECT:?}/repositories"
    "/projects/${HARBOR_PROJECT:?}/repositories/${HARBOR_REPO:?}"
    "/projects/${HARBOR_PROJECT:?}/repositories/${HARBOR_REPO:?}/artifacts"
    "/projects/${HARBOR_PROJECT:?}/repositories/${HARBOR_REPO:?}/artifacts/${HARBOR_TAG:?}"
    "/projects/${HARBOR_PROJECT:?}/repositories/${HARBOR_REPO:?}/artifacts/${HARBOR_TAG:?}/additions/vulnerabilities"
)

for apiPath in "${API_PATHS[@]}"; do
    curl --silent --output /dev/null --write-out "%{http_code} %{url_effective}\n" -u ${HARBOR_USERNAME:?}:${HARBOR_PASSWORD:?} "${HARBOR_URL:?}/api/v2.0${apiPath}"
done

Output:

200 https://example.com/api/v2.0/projects
401 https://example.com/api/v2.0/projects/foo
200 https://example.com/api/v2.0/projects/foo/repositories
401 https://example.com/api/v2.0/projects/foo/repositories/bar
200 https://example.com/api/v2.0/projects/foo/repositories/bar/artifacts
401 https://example.com/api/v2.0/projects/foo/repositories/bar/artifacts/baz
401 https://example.com/api/v2.0/projects/foo/repositories/bar/artifacts/baz/additions/vulnerabilities

Lines like this one show up in the log:

2022-04-04T14:00:00Z [ERROR] [/server/middleware/security/basic_auth.go:40][requestID="…"]: failed to authenticate bob: not supported

The error is thrown here.

Additional information

Notably, it turns out that in the web GUI and the API Explorer, a cookie named sid is included in each request. That cookie alone turns out to be enough for authentication and authorization – the Authorization header (i.e. curl’s -u flag) is not even needed:

 HARBOR_SID="deadbeefdeadbeefdeadbeefdeadbeef"
curl --silent --output /dev/null --write-out "%{http_code} %{url_effective}\n" --cookie "sid=${HARBOR_SID:?}" "${HARBOR_URL:?}/api/v2.0/projects/${HARBOR_PROJECT:?}"

As previously stated, the cookie is necessary for some endpoints (when accessed by an OIDC user). However, the API Explorer generates commands like this one, without any cookie:

curl -X 'GET' \
  'https://example.com/api/v2.0/projects/foo' \
  -H 'accept: application/json' \
  -H 'X-Is-Resource-Name: false' \
  -H 'authorization: Basic Ym9iOm15IENMSSBzZWNyZXQK'

All in all, there seems to be some inconsistency regarding OIDC authentication:

When the API is accessed by an OIDC user, some endpoints (e.g. /projects/foo) require an OIDC cookie, while others (e.g. /projects) do not.
In the API Explorer, commands without necessary authentication information are displayed.

Versions

Harbor version: 2.4.1
docker engine version: N/A
docker-compose version: N/A

About this issue

Original URL
State: open
Created 2 years ago
Reactions: 12
Comments: 28 (5 by maintainers)

Most upvoted comments

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] on Dec 7, 2022

Still an issue on 2.5.1

j14s on Oct 7, 2022

@majusmisiak:

Did you find any workaround for this issue?

IIRC, unfortunately not. I changed jobs a few weeks after creating this issue and haven’t used Harbor since.

SimonAlling on May 3, 2023

Still an issue

ryanmac8 on Sep 11, 2023

Please un-stale.

till on May 3, 2023

Same issue. After an hour of debugging why requesting artifacts works fine but I cannot get tags of a specific one I end up here.

I have a user in Jenkins credential storage I use to make the curl requests.

This is not for just people to login and play around with postman or something.

This is programmatic use in pipeline. It should have a single credential/api key you can use to access API, stored securely with credentials.

That excess requirement here makes ZERO sense - you can access ALL artifacts with user:password but not individual?

Ketec on Mar 1, 2023

@SimonAlling I have run exactly in the same issue that you described, with auth working with Authorization: Basic on some endpoints and with Cookie: sid on others.

In my case, this makes using Terraform provider for Harbor impossible.

Did you find any workaround for this issue?

Edit: (tag @Vad1mo )

majusmisiak on Feb 9, 2023

I think this is clearly a bug.

lindhe on Dec 8, 2022

This issue is still relevant, please keep it open

cesarb1392 on Aug 11, 2022

Correction: search for OIDC on https://github.com/goharbor/harbor/wiki/Harbor-FAQs. Appreciate!

MinerYang on Apr 11, 2022

Or refer to FAQ https://github.com/goharbor/harbor/wiki/Harbor-FAQs in API OIDC part

For anyone else getting confused by this: search for just “OIDC”, not “API OIDC”, on that Wiki page.

lindhe on Apr 11, 2022

Please refer to this https://github.com/goharbor/harbor/issues/16398#issuecomment-1074695316 Or refer to FAQ https://github.com/goharbor/harbor/wiki/Harbor-FAQs in API OIDC part

MinerYang on Apr 11, 2022