Skip to content

Wildcard Scope in JWT Auth Does Not Work as Expected

Summary

Caught in 401 Unauthorized error when deleting manifest in GitLab registry API. Deleting manifest require wildcard action scope (that is repository:repo_name:*) and the token generator at gitlab.com/jwt/auth does not correctly generate access payload for me. This is the partially decoded JWT payload from gitlab.com/jwt/auth and auth.docker.io/token for side-by-side comparison.

  • gitlab.com
{
  "access": [],
  "aud": "container_registry",
  "sub": "[REDACTED]",
  "iss": "omnibus-gitlab-issuer",
  ...
}
  • auth.docker.io
{
  "access": [
    {
      "type": "repository",
      "name": "[REDACTED]",
      "actions": [
        "*"
      ]
    }
  ],
  "aud": "registry.docker.io",
  "iss": "auth.docker.io",
  "[REDACTED]",
  ...
}

As you can see, the generated JWT token from gitlab.com yield empty access object rather than repository access with wildcard actions (which is the expected generated token).

Steps to reproduce

Use curl or API tester to connect to https://gitlab.com/jwt/auth?service=container_registry&scope=repository:<some_repo>:* (use basic auth with user and pass from actual GitLab user) and use base64decode to dissassemble the JWT payload.

Expected behavior

{
  "access": [
    {
      "type": "repository",
      "name": "<some_repo>",
      "actions": [
        "*"
      ]
    }
  ],
  "aud": "container_registry",
  "iss": "omnibus-gitlab-issuer",
  ...
}

Actual behavior

{
  "access": [],
  "aud": "container_registry",
  "iss": "omnibus-gitlab-issuer",
  ...
}

Output of checks

This bug happens on GitLab.com