mc/mcr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Accept MCIAS JWT tokens as passwords at token endpoint

Browse Source 
The /v2/token endpoint now detects when the password looks like a JWT
(contains two dots) and validates it directly against MCIAS before
falling back to the standard username+password login flow. This enables
non-interactive registry auth for service accounts — podman login with
a pre-issued MCIAS token as the password.

Follows the personal-access-token pattern used by GHCR, GitLab, etc.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-28 15:13:27 -07:00
parent f51e5edca0
commit 8c654a5537
3 changed files with 100 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/server/routes.go
View File

@@ -14,7 +14,7 @@ func NewRouter(validator TokenValidator, loginClient LoginClient, serviceName st
// Token endpoint is NOT behind RequireAuth — clients use Basic auth
// here to obtain a bearer token.
r.Get("/v2/token", TokenHandler(loginClient))
r.Get("/v2/token", TokenHandler(loginClient, validator))
// All other /v2 endpoints require a valid bearer token.
r.Route("/v2", func(v2 chi.Router) {