github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat(api): gate OIDC basic token auth behind config flag

Browse Source 
Agent-Logs-Url: https://github.com/project-zot/zot/sessions/2e5ae107-9578-43c4-b5f8-6e84e19fba6e

Co-authored-by: rchincha <45800463+rchincha@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-05-19 00:33:04 +00:00
committed by GitHub
parent af99f64534
commit 4bc4261e84
6 changed files with 83 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
examples/README-OIDC-WORKLOAD-IDENTITY.md
+7 -1
View File
@@ -31,7 +31,8 @@ Add OIDC workload identity configuration to your bearer authentication settings.
"oidc": [
{
"issuer": "https://kubernetes.default.svc.cluster.local",
"audiences": ["zot"]
"audiences": ["zot"],
"allowBasicAuth": true
}
]
}
@@ -55,6 +56,10 @@ Add OIDC workload identity configuration to your bearer authentication settings.
- **`username`**: CEL expression to extract the username. Default: `"claims.iss + '/' + claims.sub"`
- **`groups`**: CEL expression to extract groups. Default: none (no groups extracted)
- **`allowBasicAuth`** (optional): Allow OIDC token extraction from HTTP Basic credentials (`username:token`).
- Default: `false`
- Use this only when clients cannot send Bearer tokens.
- **`certificateAuthority`** (optional): PEM-encoded CA certificate to validate the OIDC provider's TLS certificate. Useful when the OIDC issuer uses a private CA (e.g., Kubernetes API server with a self-signed certificate). Mutually exclusive with `certificateAuthorityFile`.
- **`certificateAuthorityFile`** (optional): Path to a PEM-encoded CA certificate file to validate the OIDC provider's TLS certificate. Mutually exclusive with `certificateAuthority`.
@@ -105,6 +110,7 @@ is specified (so the whole `claimMapping` section could be omitted in this examp
{
"issuer": "https://kubernetes.default.svc.cluster.local",
"audiences": ["zot", "https://zot.example.com"],
"allowBasicAuth": true,
"claimMapping": {
"username": "claims.iss + '/' + claims.sub"
}
examples/config-bearer-oidc-workload.json
+1
View File
@@ -14,6 +14,7 @@
{
"issuer": "https://kubernetes.default.svc.cluster.local",
"audiences": ["zot", "https://zot.example.com"],
"allowBasicAuth": true,
"claimMapping": {
"username": "claims.sub"
}