[Bug]: Auth is wrongfully required for public GCP Artifact Registry #1026
Description
I have done the following
- I have searched the existing issues
- If possible, I've reproduced the issue using the 'main' branch of this project
Steps to reproduce
registry login fails on Google Artifact Registry due to missing service parameter in WWW-Authenticate header
Description
When attempting to use container registry login with a Google Artifact Registry (GAR) endpoint, the command fails with an authentication error, even if the
repository is configured for public access (allUsers has roles/artifactregistry.reader).
The tool appears to have a strict requirement for the service parameter in the WWW-Authenticate header returned by the registry's base /v2/ endpoint. While
most registries (like Docker Hub) include this, GAR only includes the service parameter when challenging a specific repository path, not on the base V2 check.
Technical Investigation
Using curl -v to inspect the headers reveals the discrepancy the tool is likely tripping over:
- Google Artifact Registry base endpoint (
/v2/):
1 < HTTP/2 401
2 < www-authenticate: Bearer realm="https://us-central1-docker.pkg.dev/v2/token"
As a workaround, I can auth with the apple-container tool using:
gcloud auth print-access-token | container registry login --username oauth2accesstoken --password-stdin us-central1-docker.pkg.dev
But this shouldn't be required if the sub-path points to a public repository
Note: Only realm is present. The container tool fails here with "Missing Bearer challenge".
-
Docker Hub base endpoint (
/v2/):
1 < HTTP/2 401
2 < www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
Note: Bothrealmandserviceare present. The tool handles this 401 correctly. -
Google Artifact Registry repository-specific endpoint:
1 < HTTP/2 401
2 < www-authenticate: Bearer realm="https://us-central1-docker.pkg.dev/v2/token",service="us-central1-docker.pkg.dev",scope=
"repository:project/repo/image:pull"
Note: When a specific path is requested, GAR includes the service parameter.
Environment Info
- OS: macOS (Darwin)
- Tool: container (v2 registry client)
- Registry: Google Artifact Registry (*.pkg.dev)
Additional Context
The repository in question is confirmed to be public. Anonymous pulls via curl (requesting a token from the realm provided in the GAR challenge) work
successfully, confirming that the GAR response is valid according to the Docker Registry V2 spec, even if it is more minimal than other implementations.
Current behavior
Reproduction Steps
- Attempt to login to a Google Artifact Registry domain:
1 echo "any-token" | container registry login --username oauth2accesstoken --password-stdin us-central1-docker.pkg.dev
Actual Behavior:
The command fails with:
Error: HTTP request to https://us-central1-docker.pkg.dev/v2/ failed with response: 401 Unauthorized. Reason: invalidArgument: "Missing Bearer challenge in
WWW-Authenticate header"
Expected behavior
Expected Behavior:
The tool should parse the Bearer challenge even if the service parameter is missing, or attempt to authenticate against the specific path provided.
Environment
- OS:
System Version: macOS 15.7.3 (24G419)
Kernel Version: Darwin 24.6.0
Boot Volume: Macintosh HD
Boot Mode: Normal
Computer Name: ptone-mac
User Name: Preston Holmes (ptone)
Secure Virtual Memory: Enabled
System Integrity Protection: Enabled
Time since boot: 23 hours, 52 minutes
- Xcode:
- Container:
container CLI version 0.7.1 (build: release, commit: 420be74)Relevant log output
N/ACode of Conduct
- I agree to follow this project's Code of Conduct