Unable to list an org's private repositories and tags using an OAT

[JuliusDegesys]

I have an internal service that returns the list of private repositories and tags associated with an org on docker hub for selection in our webapp.

I am able to use a PAT to generate a bearer token. However, I would prefer to use an OAT for all of the same benefits listed here: https://www.docker.com/blog/introducing-organization-access-tokens/.

My current approach is to send an HTTP POST request to the /users/login endpoint.

   curl -X POST https://hub.docker.com/v2/users/login \
     -H "Content-Type: application/json" \
     -d '{"username": "'$DOCKER_HUB_USERNAME'", "password": "'$DOCKER_HUB_PASSWORD'"}'

With a username and a PAT, this returns a valid response containing a bearer token that I can use to access https://hub.docker.com/v2/repositories/{org_name}

With an OAT, this call returns {"detail":"Cannot log into an organization account"}.

I'm able to use docker login -u $ORG_NAME and the OAT works for the login. I've tried also using the OAT directly as the Bearer token (header: {"Authorization": "Bearer <OAT>"}), but this doesn't seem to work either.

Is there a way to migrate this use case to an OAT? Or is this not yet supported?

[JuliusDegesys]

FWIW, I saw that https://docs.docker.com/security/for-admins/access-tokens/ says that OATs are incompatible with Docker REST APIs, but this is the Docker Hub REST API. Or are those the same thing?

[jcarter3]

They are the same thing. Initially, OATs only had scopes to work against the registry itself (push and pull). We are incrementally adding more scopes so they can perform more actions. At the moment, they cannot perform repo management actions (listing, creating, etc) but they are on the roadmap.

[JuliusDegesys]

Got it. Thanks for the clarification! I would love to see OATs be usable for the management side of things. Should I leave this issue open? Or is there another ticket I should +1 to show my support?

[sneakyjoeru]

Just faced this issue myself trying to list private repos and tokens. It's sad it doesn't work.

[sarlashin-8x8]

Listing tags from private repos is a common requirement in standard CI/CD pipelines.

The current inability to use OATs with the Docker Hub API to list container tags makes it difficult—if not impossible—to switch from username/password credentials to OATs.

[jcarter3]

@sarlashin-8x8 We're still working on adding repo scopes to OATs. In the meantime, there is an OCI endpoint to list tags directly from the registry -> https://github.com/distribution/distribution/blob/main/docs/content/spec/api.md#listing-image-tags

We're also working on a proposal to improve the data that is returned here so it includes digest, creation time, etc.

But the Hub APIs should support OATs Soon ™