[Bug]: api keys endpoint skip oidc auth

[legolego621]

zot version

v2.0.2-rc1

Describe the bug

If i use oidc method auth, after login to zot and try create apikey, i have UNAUTHORIZED code, because auth by oidc to /zot/auth/apikey does not work (work only with basic auth)

To reproduce

1. Configuration
   helm chart version: v2.0.2-rc1
   values.yaml

replicaCount: 1
image:
  repository: ghcr.io/project-zot/zot-linux-amd64
  pullPolicy: IfNotPresent
  tag: "v2.0.2-rc1"

strategy:
  type: Recreate
ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
  className: "nginx"
  pathtype: ImplementationSpecific
  hosts:
    - host: reg.example.com
      paths:
        - path: /
  tls:
   - secretName: cert
     hosts:
       - reg.example.com

httpGet:
  scheme: HTTP

mountConfig: true
mountSecret: true

configFiles:
  config.json: |-
    {
      "storage": { 
        "rootDirectory": "/tmp/zot",
        "dedupe": false,
        "storageDriver": {
            ........
        }
      },
      "http": {
        "address":"0.0.0.0",
        "port":"5000",
        "externalUrl": "https://reg.example.com",
        "auth":{
          "apikey": true,
          "htpasswd": {
            "path": "/secret/htpasswd"
          },
          "openid": {
            "providers": {
              "oidc": {
                "issuer": "https://keycloak.example.com/realms/test",
                "clientid": "project-zot",
                "clientsecret": "secret....",
                "keypath": "",
                "scopes": ["openid", "profile", "email", "groups"]
              }
            }
          }
        },
        "accessControl": {
          "repositories": {
            "tenant-1/**": {
              "policies": [{
                "users": ["user"],
                "groups": ["project-zot-tenant-1"],
                "actions": ["read", "create", "update", "delete"]
              }],
              "defaultPolicy": []
            },
            "tenant-2/**": {
              "policies": [{
                "users": ["user"],
                "groups": ["project-zot-tenant-2"],
                "actions": ["read", "create", "update", "delete"]
              }],
              "defaultPolicy": []
            }
          },
          "adminPolicy": {
            "users": ["admin"],
            "actions": ["read", "create", "update", "delete"]
          }
        }
      },
      "log": {
        "level":"debug"
      },

      "extensions": {
        "search": {
          "enable": true
        },
        "ui": {
          "enable": true
        },
        "mgmt": {
          "enable": true
        },
        "sync": {
          "downloadDir": "/tmp/zot",
          "registries": [
            {
              "urls": ["https://127.0.0.1:5000"],
              "content": [
                {
                  "prefix": "**", 
                  "destination": "/tenant-1"
                }
              ],
              "onDemand": true,
              "tlsVerify": false
            },
            {
              "urls": ["https://127.0.0.1:5000"],
              "content": [
                {
                  "prefix": "**", 
                  "destination": "/tenant-2"
                }
              ],
              "onDemand": true,
              "tlsVerify": false
            },
            {
              "urls": ["https://reg2.example.com"],
              "content": [
                {
                  "prefix": "**", 
                  "destination": "/gitlab"
                }
              ],
              "onDemand": true,
              "tlsVerify": true
            },
            {
              "urls": ["https://docker.io/library"],
              "content": [
                {
                  "prefix": "**", 
                  "destination": "/docker"
                }
              ],
              "onDemand": true,
              "tlsVerify": true
            }
          ]
        }
      }
    }

secretFiles:
  htpasswd: |-
    admin:$2y$05$vmiurPmJvHylk78HHFWuruFFVePlit9rZWGA/FbZfTEmNRneGJtha

authHeader: "YWRtaW46YWRtaW4="

3. Client tool used
   I try to create apikey and have UNAUTHORIZED code error

curl -u "username_oidc:password" -X POST https://reg.example.com/zot/auth/apikey -d '{"label": "git", "scopes": ["tenant-1"]}'

{"code":"UNAUTHORIZED","message":"authentication required","detail":{"description":"The access controller was unable to authenticate the client. Often this will be accompanied by a WWW-Authenticate HTTP response header indicating how to authenticate."}}

but i can login to ui with username_oidc:password by oidc mathod auth and have only problem to access https://reg.example.com/zot/auth/apikey page (auth by admin default user can open page)

4. Seen error
   logs

 {"level":"error","goroutine":430,"caller":"zotregistry.io/zot/pkg/api/authn.go:190","time":"2024-02-17T09:33:24.173655954Z","message":"invalid api token format"}                                               {"level":"info","module":"http","username":"username_oidc","component":"session","clientIP":"10.233.75.194:34988","method":"POST","path":"/zot/auth/apikey","statusCode":401,"latency":"0s","bod ││ ySize":253,"headers":{"Accept":["*/*"],"Authorization":["******"],"Content-Length":["40"],"Content-Type":["application/x-www-form-urlencoded"],"User-Agent":["curl/7.81.0"],"X-Forwarded-For":["192.168.30.5"], ││ "X-Forwarded-Host":["reg.example.com"],"X-Forwarded-Port":["443"],"X-Forwarded-Proto":["https"],"X-Forwarded-Scheme":["https"],"X-Real-Ip":["192.168.30.5"],"X-Request-Id":["7761d6375e1e46aa0f480de470b2cf5a" ││ ],"X-Scheme":["https"]},"goroutine":430,"caller":"zotregistry.io/zot/pkg/api/session.go:132","time":"2024-02-17T09:33:24.173776652Z","message":"HTTP API"}                                                                                                                                                                                                     

Expected behavior

allow to create apikey with oidc auth

Screenshots

No response

Additional context

No response

[andaaron]

Hi @legolego621, the oidc auth workflow is more complex and requires multiple requests, which the UI implements.
We added the api keys feature specifically for oidc users as a workaround for command line tools, as an alternative.
Ideally the oidc user would login to the UI, and generate the API key from a menu there.

Unfortunately, the UI implementation is not merged yet (project-zot/zui#403).

[legolego621]

Hi @legolego621, the oidc auth workflow is more complex and requires multiple requests, which the UI implements. We added the api keys feature specifically for oidc users as a workaround for command line tools, as an alternative. Ideally the oidc user would login to the UI, and generate the API key from a menu there.

Unfortunately, the UI implementation is not merged yet (project-zot/zui#403).

Hi, thanks for the quick response.
Please tell me how I can now generate an api key by logging in as user oidc? You mentioned that you added the api path.

[andaaron]

@legolego621, we merged project-zot/zui#403.
Do you think you could build zot based on #2256 (which includes project-zot/zui#403), and test the UI feature for API key management? See how that works out for you.
It's in the menu available for logger in users at the top right of the page.

[legolego621]

@andaaron
Thanks, this worked for me.
I built the zui image from commit-33524ce

[andaaron]

@legolego621, shall we close this issue then?