Docker Registry Token authentication specification

the certification token flowchart for Docker registry is as follows

Process Explanation:
1. Try the push/pull operation.
2. If authorization is required, it returns the 401 unauthorized HTTP response and provides information about how to authenticate.
3. The client requests a bearer token from the authorization service.
4. The authorized service returns authorized access to opaque Bearer token on behalf of the customer.
5. The client re-tries the original request and bearer token on the requested authorization header.
6. Docker registry authorizes the client by validating the bearer token and the set of claims embedded therein and begins the push/pull session.

How to Authorize
Docker Registry V2 When the Docker client goes to Pull/push mirroring if the Docker registry server requires authentication, it returns an 401 unauthorized response with a www-authenticate header, Detailed instructions on how to authenticate to this registry

For example, there is a username for jlhawn users, want to push the mirror to samalba/my-app this mirror warehouse, if not authorized, then will return information:

http/1.1 401 Unauthorized
content-type:application/json; Charset=utf-8
docker-distribution-api-version: registry/2.0
www-authenticate:bearer realm= "Https://auth.docker.io/token", service= "Registry.docker.io", Scope= "Repository:samalba/my-app:pull,push"
Date:thu, Sep 19:32:31 GMT
content-length:235
strict-transport-security:max-age=31536000

{"Errors": [{"Code": "Unauthorized", "message": "Access to the Requested resource is isn't authorized "," detail ": [{" Type ":" Repository "," Name ":" Samalba/my-app "," Action ":" Pull "},{" Type ":" Repository "," Name ":" Samalba/my-app "," Action ":" Push "}]}]}

HTTP Response headers:

Www-authenticate:bearer realm= "Https://auth.docker.io/token", service= "Registry.docker.io", scope= "repository: Samalba/my-app:pull,push "

This indicates that the requirement
Send a GET request to the Https://auth.docker.io/token using the service and scope values from the Www-authenticate header.

Get Token
Enter the parameter:
Service: Warehouse Address,
Offline_token: Whether to return a refresh token with the bearer token. The refresh token is capable of obtaining additional bearer tokens for the same principals of different scopes. The refresh token is not expired and should be considered completely opaque to the customer.
CLIENT_ID: Client ID
Scope: The scope of permission, by www-authenticate the value of scope, such as the above example: Scope=repository:samalba/my-app:push

return Parameters
The value of the Token:token
Access_token:token and Access_token are likely to occur, primarily for compatibility with lower versions
Expires_in:token effective time, default is 60s
Issued_at: (optional) publishes The RFC3339 serialized UTC Standard Time for a given token. If ISSUED_AT is omitted, expiration begins when the token exchange is complete.
Refresh_token: (optional) can be used to obtain tokens for additional access tokens for the same scope with different scopes. The token should be kept secure by the client and sent only to the authorization server that issued the bearer token. The setting takes effect only if Offline_token = True is provided in the request.

Example

Https://auth.docker.io/token?service=registry.docker.io&scope=repository:samalba/my-app:pull,push

After authenticating the client (it may be an anonymous client if there is no attempt to authenticate), the token server must then query its access control list to determine whether the client has the requested scope. In this sample request, if I have authenticated with user Jlhawn, the token server will determine access to the Registry.docker.io managed repository Samalba/my-app the entity.

The information returned

http/1.1 OK
content-type:application/json

{"token": " Eyj0exaioijkv1qilcjhbgcioijfuzi1niisimtpzci6ilbzwu86vevxvtpwn0pioji2sly6qvfuwjpmskmzolnyvko6wediqtozneyyojjmqve6wljnszpan 1e2in0.eyjpc3mioijhdxrolmrvy2tlci5jb20ilcjzdwiioijqbghhd24ilcjhdwqioijyzwdpc3ryes5kb2nrzxiuy29tiiwizxhwijoxnde1mzg3mze1lc Juymyioje0mtuzodcwmtusimlhdci6mtqxntm4nzaxnswianrpijoidflkq08xyzzjbnl5n2tbbjbjn3jlugdivjfimwjgd3milcjhy2nlc3miolt7inr5cgu Ioijyzxbvc2l0b3j5iiwibmftzsi6innhbwfsymevbxktyxbwiiwiywn0aw9ucyi6wyjwdxnoil19xx0.qhflhpfbd6evf4lm9bwypfziv0pfikbyxulx959y krtbpe3cynzs6ybk8ftovb5r47920pvlrh8zulzdcr9t3w "," expires_in ": 3600," Issued_at ":" 2009-11-10t23:00:00z "}

Examples of using bearer tokens

Authorization:bearer Eyj0exaioijkv1qilcjhbgcioijfuzi1niisimtpzci6ikjwm0q6mkfwwjpvqjvaoktjqva6su5qtdo1ru42ok40sjq6nk1xtzpeuktfokjwuus6m0zktdpqt 1rmin0.eyjpc3mioijhdxrolmrvy2tlci5jb20ilcjzdwiioijcq0nzok9vnlo6uuvkntpxtjjdojjbvkm6wtdzrdpbm0xzojq1vvc6ne9hrdplquxmoknosj U6nulvtcisimf1zci6injlz2lzdhj5lmrvy2tlci5jb20ilcjlehaioje0mtuzodczmtusim5izii6mtqxntm4nzaxnswiawf0ijoxnde1mzg3mde1lcjqdgk Ioij0wupdtzfjnmnuexk3a0fumgm3cktqz2jwmugxykz3cyisinnjb3blijoiamxoyxduonjlcg9zaxrvcnk6c2ftywxiys9tes1hcha6chvzacxwdwxsigps agf3bjpuyw1lc3bhy2u6c2ftywxiytpwdwxsin0.y3zzswazpqy4y9orbvrimzyv3m_s9xdhf1twwn7ml52c_ Iia73sjkwvnsvnqpjin5h7a2f8biv_s2ppq1lgkbw

Reference:
Docker token