SourceCode
diff --git a/‎api/client/info.go‎
Lines changed: 1 addition & 1 deletion b/‎api/client/info.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/client/login.go‎
Lines changed: 6 additions & 1 deletion b/‎api/client/login.go‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎api/client/trust.go‎
Lines changed: 7 additions & 0 deletions b/‎api/client/trust.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎api/server/router/system/backend.go‎
Lines changed: 1 addition & 1 deletion b/‎api/server/router/system/backend.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/server/router/system/system_routes.go‎
Lines changed: 3 additions & 2 deletions b/‎api/server/router/system/system_routes.go‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎cliconfig/credentials/native_store.go‎
Lines changed: 23 additions & 7 deletions b/‎cliconfig/credentials/native_store.go‎
Lines changed: 23 additions & 7 deletions
diff --git a/‎cliconfig/credentials/native_store_test.go‎
Lines changed: 51 additions & 6 deletions b/‎cliconfig/credentials/native_store_test.go‎
Lines changed: 51 additions & 6 deletions
diff --git a/‎daemon/daemon.go‎
Lines changed: 1 addition & 1 deletion b/‎daemon/daemon.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎distribution/registry.go‎
Lines changed: 19 additions & 1 deletion b/‎distribution/registry.go‎
Lines changed: 19 additions & 1 deletion
diff --git a/‎docs/reference/api/docker_remote_api.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/reference/api/docker_remote_api.md‎
Lines changed: 1 addition & 0 deletions
@@ -93,8 +93,8 @@ func (cli *DockerCli) CmdInfo(args ...string) error {
 		u := cli.configFile.AuthConfigs[info.IndexServerAddress].Username
 		if len(u) > 0 {
 			fmt.Fprintf(cli.out, "Username: %v\n", u)
-			fmt.Fprintf(cli.out, "Registry: %v\n", info.IndexServerAddress)
 		}
+		fmt.Fprintf(cli.out, "Registry: %v\n", info.IndexServerAddress)
 	}
 
 	// Only output these warnings if the server does not support these features
 
@@ -57,12 +57,16 @@ func (cli *DockerCli) CmdLogin(args ...string) error {
 		return err
 	}
 
+	if response.IdentityToken != "" {
+		authConfig.Password = ""
+		authConfig.IdentityToken = response.IdentityToken
+	}
 	if err := storeCredentials(cli.configFile, authConfig); err != nil {
 		return fmt.Errorf("Error saving credentials: %v", err)
 	}
 
 	if response.Status != "" {
-		fmt.Fprintf(cli.out, "%s\n", response.Status)
+		fmt.Fprintln(cli.out, response.Status)
 	}
 	return nil
 }
@@ -120,6 +124,7 @@ func (cli *DockerCli) configureAuth(flUser, flPassword, serverAddress string, is
 	authconfig.Username = flUser
 	authconfig.Password = flPassword
 	authconfig.ServerAddress = serverAddress
+	authconfig.IdentityToken = ""
 
 	return authconfig, nil
 }
 
@@ -107,6 +107,13 @@ func (scs simpleCredentialStore) Basic(u *url.URL) (string, string) {
 	return scs.auth.Username, scs.auth.Password
 }
 
+func (scs simpleCredentialStore) RefreshToken(u *url.URL, service string) string {
+	return scs.auth.IdentityToken
+}
+
+func (scs simpleCredentialStore) SetRefreshToken(*url.URL, string, string) {
+}
+
 // getNotaryRepository returns a NotaryRepository which stores all the
 // information needed to operate on a notary repository.
 // It creates a HTTP transport providing authentication support.
 
@@ -13,5 +13,5 @@ type Backend interface {
 	SystemVersion() types.Version
 	SubscribeToEvents(since, sinceNano int64, ef filters.Args) ([]events.Message, chan interface{})
 	UnsubscribeFromEvents(chan interface{})
-	AuthenticateToRegistry(authConfig *types.AuthConfig) (string, error)
+	AuthenticateToRegistry(authConfig *types.AuthConfig) (string, string, error)
 }
@@ -115,11 +115,12 @@ func (s *systemRouter) postAuth(ctx context.Context, w http.ResponseWriter, r *h
 	if err != nil {
 		return err
 	}
-	status, err := s.backend.AuthenticateToRegistry(config)
+	status, token, err := s.backend.AuthenticateToRegistry(config)
 	if err != nil {
 		return err
 	}
 	return httputils.WriteJSON(w, http.StatusOK, &types.AuthResponse{
-		Status: status,
+		Status:        status,
+		IdentityToken: token,
 	})
 }
@@ -13,7 +13,10 @@ import (
 	"github.com/docker/engine-api/types"
 )
 
-const remoteCredentialsPrefix = "docker-credential-"
+const (
+	remoteCredentialsPrefix = "docker-credential-"
+	tokenUsername           = "<token>"
+)
 
 // Standarize the not found error, so every helper returns
 // the same message and docker can handle it properly.
@@ -29,14 +32,14 @@ type command interface {
 type credentialsRequest struct {
 	ServerURL string
 	Username  string
-	Password  string
+	Secret    string
 }
 
 // credentialsGetResponse is the information serialized from a remote store
 // when the plugin sends requests to get the user credentials.
 type credentialsGetResponse struct {
 	Username string
-	Password string
+	Secret   string
 }
 
 // nativeStore implements a credentials store
@@ -76,6 +79,7 @@ func (c *nativeStore) Get(serverAddress string) (types.AuthConfig, error) {
 		return auth, err
 	}
 	auth.Username = creds.Username
+	auth.IdentityToken = creds.IdentityToken
 	auth.Password = creds.Password
 
 	return auth, nil
@@ -89,6 +93,7 @@ func (c *nativeStore) GetAll() (map[string]types.AuthConfig, error) {
 		creds, _ := c.getCredentialsFromStore(s)
 		ac.Username = creds.Username
 		ac.Password = creds.Password
+		ac.IdentityToken = creds.IdentityToken
 		auths[s] = ac
 	}
 
@@ -102,6 +107,7 @@ func (c *nativeStore) Store(authConfig types.AuthConfig) error {
 	}
 	authConfig.Username = ""
 	authConfig.Password = ""
+	authConfig.IdentityToken = ""
 
 	// Fallback to old credential in plain text to save only the email
 	return c.fileStore.Store(authConfig)
@@ -113,7 +119,12 @@ func (c *nativeStore) storeCredentialsInStore(config types.AuthConfig) error {
 	creds := &credentialsRequest{
 		ServerURL: config.ServerAddress,
 		Username:  config.Username,
-		Password:  config.Password,
+		Secret:    config.Password,
+	}
+
+	if config.IdentityToken != "" {
+		creds.Username = tokenUsername
+		creds.Secret = config.IdentityToken
 	}
 
 	buffer := new(bytes.Buffer)
@@ -158,13 +169,18 @@ func (c *nativeStore) getCredentialsFromStore(serverAddress string) (types.AuthC
 		return ret, err
 	}
 
-	ret.Username = resp.Username
-	ret.Password = resp.Password
+	if resp.Username == tokenUsername {
+		ret.IdentityToken = resp.Secret
+	} else {
+		ret.Password = resp.Secret
+		ret.Username = resp.Username
+	}
+
 	ret.ServerAddress = serverAddress
 	return ret, nil
 }
 
-// eraseCredentialsFromStore executes the command to remove the server redentails from the native store.
+// eraseCredentialsFromStore executes the command to remove the server credentails from the native store.
 func (c *nativeStore) eraseCredentialsFromStore(serverURL string) error {
 	cmd := c.commandFn("erase")
 	cmd.Input(strings.NewReader(serverURL))
 
@@ -47,8 +47,10 @@ func (m *mockCommand) Output() ([]byte, error) {
 		}
 	case "get":
 		switch inS {
-		case validServerAddress, validServerAddress2:
-			return []byte(`{"Username": "foo", "Password": "bar"}`), nil
+		case validServerAddress:
+			return []byte(`{"Username": "foo", "Secret": "bar"}`), nil
+		case validServerAddress2:
+			return []byte(`{"Username": "<token>", "Secret": "abcd1234"}`), nil
 		case missingCredsAddress:
 			return []byte(errCredentialsNotFound.Error()), errCommandExited
 		case invalidServerAddress:
@@ -118,6 +120,9 @@ func TestNativeStoreAddCredentials(t *testing.T) {
 	if a.Password != "" {
 		t.Fatalf("expected password to be empty, got %s", a.Password)
 	}
+	if a.IdentityToken != "" {
+		t.Fatalf("expected identity token to be empty, got %s", a.IdentityToken)
+	}
 	if a.Email != "[email protected]" {
 		t.Fatalf("expected email `[email protected]`, got %s", a.Email)
 	}
@@ -174,11 +179,45 @@ func TestNativeStoreGet(t *testing.T) {
 	if a.Password != "bar" {
 		t.Fatalf("expected password `bar`, got %s", a.Password)
 	}
+	if a.IdentityToken != "" {
+		t.Fatalf("expected identity token to be empty, got %s", a.IdentityToken)
+	}
 	if a.Email != "[email protected]" {
 		t.Fatalf("expected email `[email protected]`, got %s", a.Email)
 	}
 }
 
+func TestNativeStoreGetIdentityToken(t *testing.T) {
+	f := newConfigFile(map[string]types.AuthConfig{
+		validServerAddress2: {
+			Email: "[email protected]",
+		},
+	})
+	f.CredentialsStore = "mock"
+
+	s := &nativeStore{
+		commandFn: mockCommandFn,
+		fileStore: NewFileStore(f),
+	}
+	a, err := s.Get(validServerAddress2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if a.Username != "" {
+		t.Fatalf("expected username to be empty, got %s", a.Username)
+	}
+	if a.Password != "" {
+		t.Fatalf("expected password to be empty, got %s", a.Password)
+	}
+	if a.IdentityToken != "abcd1234" {
+		t.Fatalf("expected identity token `abcd1234`, got %s", a.IdentityToken)
+	}
+	if a.Email != "[email protected]" {
+		t.Fatalf("expected email `[email protected]`, got %s", a.Email)
+	}
+}
+
 func TestNativeStoreGetAll(t *testing.T) {
 	f := newConfigFile(map[string]types.AuthConfig{
 		validServerAddress: {
@@ -209,14 +248,20 @@ func TestNativeStoreGetAll(t *testing.T) {
 	if as[validServerAddress].Password != "bar" {
 		t.Fatalf("expected password `bar` for %s, got %s", validServerAddress, as[validServerAddress].Password)
 	}
+	if as[validServerAddress].IdentityToken != "" {
+		t.Fatalf("expected identity to be empty for %s, got %s", validServerAddress, as[validServerAddress].IdentityToken)
+	}
 	if as[validServerAddress].Email != "[email protected]" {
 		t.Fatalf("expected email `[email protected]` for %s, got %s", validServerAddress, as[validServerAddress].Email)
 	}
-	if as[validServerAddress2].Username != "foo" {
-		t.Fatalf("expected username `foo` for %s, got %s", validServerAddress2, as[validServerAddress2].Username)
+	if as[validServerAddress2].Username != "" {
+		t.Fatalf("expected username to be empty for %s, got %s", validServerAddress2, as[validServerAddress2].Username)
+	}
+	if as[validServerAddress2].Password != "" {
+		t.Fatalf("expected password to be empty for %s, got %s", validServerAddress2, as[validServerAddress2].Password)
 	}
-	if as[validServerAddress2].Password != "bar" {
-		t.Fatalf("expected password `bar` for %s, got %s", validServerAddress2, as[validServerAddress2].Password)
+	if as[validServerAddress2].IdentityToken != "abcd1234" {
+		t.Fatalf("expected identity token `abcd1324` for %s, got %s", validServerAddress2, as[validServerAddress2].IdentityToken)
 	}
 	if as[validServerAddress2].Email != "[email protected]" {
 		t.Fatalf("expected email `[email protected]` for %s, got %s", validServerAddress2, as[validServerAddress2].Email)
 
@@ -1519,7 +1519,7 @@ func configureVolumes(config *Config, rootUID, rootGID int) (*store.VolumeStore,
 }
 
 // AuthenticateToRegistry checks the validity of credentials in authConfig
-func (daemon *Daemon) AuthenticateToRegistry(authConfig *types.AuthConfig) (string, error) {
+func (daemon *Daemon) AuthenticateToRegistry(authConfig *types.AuthConfig) (string, string, error) {
 	return daemon.RegistryService.Auth(authConfig, dockerversion.DockerUserAgent())
 }
 
 
@@ -26,6 +26,13 @@ func (dcs dumbCredentialStore) Basic(*url.URL) (string, string) {
 	return dcs.auth.Username, dcs.auth.Password
 }
 
+func (dcs dumbCredentialStore) RefreshToken(*url.URL, string) string {
+	return dcs.auth.IdentityToken
+}
+
+func (dcs dumbCredentialStore) SetRefreshToken(*url.URL, string, string) {
+}
+
 // NewV2Repository returns a repository (v2 only). It creates a HTTP transport
 // providing timeout settings and authentication support, and also verifies the
 // remote API version.
@@ -72,7 +79,18 @@ func NewV2Repository(ctx context.Context, repoInfo *registry.RepositoryInfo, end
 		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
 	} else {
 		creds := dumbCredentialStore{auth: authConfig}
-		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...)
+		tokenHandlerOptions := auth.TokenHandlerOptions{
+			Transport:   authTransport,
+			Credentials: creds,
+			Scopes: []auth.Scope{
+				auth.RepositoryScope{
+					Repository: repoName,
+					Actions:    actions,
+				},
+			},
+			ClientID: registry.AuthClientID,
+		}
+		tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions)
 		basicHandler := auth.NewBasicHandler(creds)
 		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
 	}
 
@@ -125,6 +125,7 @@ This section lists each version from latest to oldest.  Each listing includes a
 * `GET /info` now returns `KernelMemory` field, showing if "kernel memory limit" is supported.
 * `POST /containers/create` now takes `PidsLimit` field, if the kernel is >= 4.3 and the pids cgroup is supported.
 * `GET /containers/(id or name)/stats` now returns `pids_stats`, if the kernel is >= 4.3 and the pids cgroup is supported.
+* `POST /auth` now returns an `IdentityToken` when supported by a registry.
 
 ### v1.22 API changes
Original file line number	Diff line number	Diff line change
`@@ -93,8 +93,8 @@ func (cli *DockerCli) CmdInfo(args ...string) error {`
`93`	`93`	`u := cli.configFile.AuthConfigs[info.IndexServerAddress].Username`
`94`	`94`	`if len(u) > 0 {`
`95`	`95`	`fmt.Fprintf(cli.out, "Username: %v\n", u)`
`96`		`- fmt.Fprintf(cli.out, "Registry: %v\n", info.IndexServerAddress)`
`97`	`96`	`}`
	`97`	`+ fmt.Fprintf(cli.out, "Registry: %v\n", info.IndexServerAddress)`
`98`	`98`	`}`
`99`	`99`
`100`	`100`	`// Only output these warnings if the server does not support these features`
Original file line number	Diff line number	Diff line change
`@@ -57,12 +57,16 @@ func (cli *DockerCli) CmdLogin(args ...string) error {`
`57`	`57`	`return err`
`58`	`58`	`}`
`59`	`59`
	`60`	`+ if response.IdentityToken != "" {`
	`61`	`+ authConfig.Password = ""`
	`62`	`+ authConfig.IdentityToken = response.IdentityToken`
	`63`	`+ }`
`60`	`64`	`if err := storeCredentials(cli.configFile, authConfig); err != nil {`
`61`	`65`	`return fmt.Errorf("Error saving credentials: %v", err)`
`62`	`66`	`}`
`63`	`67`
`64`	`68`	`if response.Status != "" {`
`65`		`- fmt.Fprintf(cli.out, "%s\n", response.Status)`
	`69`	`+ fmt.Fprintln(cli.out, response.Status)`
`66`	`70`	`}`
`67`	`71`	`return nil`
`68`	`72`	`}`
`@@ -120,6 +124,7 @@ func (cli *DockerCli) configureAuth(flUser, flPassword, serverAddress string, is`
`120`	`124`	`authconfig.Username = flUser`
`121`	`125`	`authconfig.Password = flPassword`
`122`	`126`	`authconfig.ServerAddress = serverAddress`
	`127`	`+ authconfig.IdentityToken = ""`
`123`	`128`
`124`	`129`	`return authconfig, nil`
`125`	`130`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,5 +13,5 @@ type Backend interface {`
`13`	`13`	`SystemVersion() types.Version`
`14`	`14`	`SubscribeToEvents(since, sinceNano int64, ef filters.Args) ([]events.Message, chan interface{})`
`15`	`15`	`UnsubscribeFromEvents(chan interface{})`
`16`		`- AuthenticateToRegistry(authConfig *types.AuthConfig) (string, error)`
	`16`	`+ AuthenticateToRegistry(authConfig *types.AuthConfig) (string, string, error)`
`17`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -115,11 +115,12 @@ func (s systemRouter) postAuth(ctx context.Context, w http.ResponseWriter, r h`
`115`	`115`	`if err != nil {`
`116`	`116`	`return err`
`117`	`117`	`}`
`118`		`- status, err := s.backend.AuthenticateToRegistry(config)`
	`118`	`+ status, token, err := s.backend.AuthenticateToRegistry(config)`
`119`	`119`	`if err != nil {`
`120`	`120`	`return err`
`121`	`121`	`}`
`122`	`122`	`return httputils.WriteJSON(w, http.StatusOK, &types.AuthResponse{`
`123`		`- Status: status,`
	`123`	`+ Status: status,`
	`124`	`+ IdentityToken: token,`
`124`	`125`	`})`
`125`	`126`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1519,7 +1519,7 @@ func configureVolumes(config Config, rootUID, rootGID int) (store.VolumeStore,`
`1519`	`1519`	`}`
`1520`	`1520`
`1521`	`1521`	`// AuthenticateToRegistry checks the validity of credentials in authConfig`
`1522`		`-func (daemon Daemon) AuthenticateToRegistry(authConfig types.AuthConfig) (string, error) {`
	`1522`	`+func (daemon Daemon) AuthenticateToRegistry(authConfig types.AuthConfig) (string, string, error) {`
`1523`	`1523`	`return daemon.RegistryService.Auth(authConfig, dockerversion.DockerUserAgent())`
`1524`	`1524`	`}`
`1525`	`1525`