Dependency proxy does not work when SSO is enabled
Summary
It appears when SSO is enabled on a private group you can not pull an image from Dependency Proxy.
Steps to reproduce
Create a new private group and enable sso (start a GitLab trial if needed) Attempt docker login and docker pull. The pull will fail.
Example Project
https://gitlab.com/groups/acme-org-test/-/dependency_proxy
What is the current bug behavior?
Using username or ouath2:<pat-token>
gives the same results.
I expect ouath2:pat-token to work.
# docker login https://gitlab.com/acme-orgt-test/dependency_proxy/containers
Username: <user>
Password:
Login Succeeded
#
# docker pull gitlab.com/acme-org-test/dependency_proxy/containersnode:latest
Trying to pull repository gitlab.com/acme-org-test/dependency_proxy/containersnode ...
Pulling repository gitlab.com/acme-org-test/dependency_proxy/containersnode
Error: Status 503 trying to pull repository acme-org-test/dependency_proxy/containersnode: "<!DOCTYPE html>\n<html>\n<head>\n <meta content=\"width=device-width, initial-scale=1, maximum-scale=1\" name=\"viewport\">\n <title>Checking your Browser - GitLab</title>\n <style>body{color:#666;text-align:center;font-family:Helvetica Neue,Helvetica,Arial,sans-serif;margin:auto;font-size:14px;display:flex;flex-direction:column;align-items:center;justify-content:center}hr{max-width:800px;margin:18px auto;border:0;border-top:1px solid #eee;border-bottom:1px solid #fff}img{max-width:40vw}.container{margin:auto 20px}.cferror_details{list-style-type:none}.cf-error-details h1{color:#456;font-size:20px;font-weight:400;line-height:28px}</style>\n<meta http-equiv=\"refresh\" content=\"12\">\n<script type=\"text/javascript\">\n //<![CDATA[\n (function(){\n \n window._cf_chl_opt={\n cvId: \"1\",\n cType: \"non-interactive\",\n cNounce: \"96553\",\n cRay: \"602875abe8bd7263\",\n cHash: \"d7bdfc9f8b75ff5\",\n cFPWv: \"b\",\n cRq: {\n ru: \"aHR0cHM6Ly9naXRsYWIuY29tL3VzZXJzL3NpZ25faW4=\",\n ra: \"ZG9ja2VyLzEuMTMuMSBnby9nbzEuMTAuMyBrZXJuZWwvMy4xMC4wLTExNjAuNi4xLmVsNy54ODZfNjQgb3MvbGludXggYXJjaC9hbWQ2NCBVcHN0cmVhbUNsaWVudChEb2NrZXItQ2xpZW50LzEuMTMuMSBcKGxpbnV4XCkp\",\n rm: \"R0VU\",\n d: \"F0N1U9r07nbL/h/78RUxl9m/hZ10IM32d15SymHkNt7UP9Y5EvlO0kt5y7KE8w1eQLN5+ESbCFerSvkSzSM2TSh9Zq+AYWNT4g4BV3OkrDjhb2PElwOnsuIPHrEH5ThtO5zZzjiLVevn46oWC7MxqlmQlLx3bekMB58dnwgWXKkjvgQE1E5uJxTXqu06uEvzpY4PkOmXJe2p9n0CkExzFC4kDjqpzbk32gmfC1r1V1jRrNesD29f7FvGBXr3CysjTtI4l4qwVDWryh7rWU2HmOdB3PHQNgyJdvdQylvvX4xbeuQ1Q7ujcAPvsbBHNh4rozg/n7GCXTR2KJOZhwDywNUDQK0krrYNi+v/SGaFTYREzbzC8U1uLt+KIox5YAHTDyq/srhZEM6b2jojOGgBTkH+vIpEjeKG0ELiZkhhP329BZCx5DkineWaDO/8hcT3lgPFI0yKGNceAuh6tdSSL0/J7AWMTYMURzTMlzPZ3RApfV++5qkkaZoA5fOrP4UQj29KzDR5Fsbs4AhbFzIKlU5L2rup1DFtC4voYflx25SDDV2bW2qeE00xjMt72MTeEpV84CJFUIo2wQvzVxVqgG5ODoAU6S92Shw+XCAKlcYIKlw6PDjgKcuGruf8RC6uPvesRpKHaAt6zCUGvLHrSxqqhV6Tb9DbA39+7P6Ghx3R5tKnPZEEh7IAPGUte/XZ6uID70fdVwk+lvsByovImh3UzoX4bnkAtguxIfP+pO4nTxylr7qHDGakxDihmfDBQTPBHvF76aopxe76GKjR5AQeL4ubq9YHEjSakwPUZxI=\",\n t: \"MTYwODEyMjI4OC4wMTEwMDA=\",\n m: \"GCgf1vgTufLfWOxui3OUsC+sHkrX5/waMfdCF9gIg7I=\",\n i1: \"HKWBeEXE9VKJ89cRqzTbZw==\",\n i2: \"dC2fBKiJjMTvquNLF4M9XA==\",\n uh: \"YsedfWLsbGQ/N0opLnpZpZSrKjZZK0o8xedBJ4rCudw=\",\n hh: \"lGQbzypQ55vDVgAzrKu7GNtEf1PrcZK3oqezycJ79vw=\",\n }\n }\n window._cf_chl_enter = function(){window._cf_chl_opt.p=1};\n \n var a = function() {try{return !!window.addEventListener} catch(e) {return !1} },\n b = function(b, c) {a() ? document.addEventListener(\"DOMContentLoaded\", b, c) : document.attachEvent(\"onreadystatechange\", b)};\n b(function(){\n var cookiesEnabled=(navigator.cookieEnabled)? true : false;\n var cookieSupportInfix=cookiesEnabled?'/nocookie':'/cookie';\n var a = document.getElementById('cf-content');a.style.display = 'block';\n var isIE = /(MSIE|Trident\\/|Edge\\/)/i.test(window.navigator.userAgent);\n var trkjs = isIE ? new Image() : document.createElement('img');\n trkjs.setAttribute(\"src\", \"/cdn-cgi/images/trace/jschal/js\"+cookieSupportInfix+\"/transparent.gif?ray=602875abe8bd7263\");\n trkjs.id = \"trk_jschal_js\";\n trkjs.setAttribute(\"alt\", \"\");\n document.body.appendChild(trkjs);\n \n var cpo = document.createElement('script');\n cpo.type = 'text/javascript';\n cpo.src = \"/cdn-cgi/challenge-platform/h/b/orchestrate/jsch/v1\";\n var done = false;\n cpo.onload = cpo.onreadystatechange = function() {\n if (!done && (!this.readyState || this.readyState === \"loaded\" || this.readyState === \"complete\")) {\n done = true;\n cpo.onload = cpo.onreadystatechange = null;\n window._cf_chl_enter()\n }\n };\n document.getElementsByTagName('head')[0].appendChild(cpo);\n \n }, false);\n })();\n //]]>\n</script>\n\n</head>\n\n<body>\n <h1>\n <img src=\"data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjEwIiBoZWlnaHQ9IjIxMCIgdmlld0JveD0iMCAwIDIxMCAyMTAiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPHBhdGggZD0iTTEwNS4wNjE0IDIwMy42NTVsMzguNjQtMTE4LjkyMWgtNzcuMjhsMzguNjQgMTE4LjkyMXoiIGZpbGw9IiNlMjQzMjkiLz4KICA8cGF0aCBkPSJNMTA1LjA2MTQgMjAzLjY1NDhsLTM4LjY0LTExOC45MjFoLTU0LjE1M2w5Mi43OTMgMTE4LjkyMXoiIGZpbGw9IiNmYzZkMjYiLz4KICA8cGF0aCBkPSJNMTIuMjY4NSA4NC43MzQxbC0xMS43NDIgMzYuMTM5Yy0xLjA3MSAzLjI5Ni4xMDIgNi45MDcgMi45MDYgOC45NDRsMTAxLjYyOSA3My44MzgtOTIuNzkzLTExOC45MjF6IiBmaWxsPSIjZmNhMzI2Ii8+CiAgPHBhdGggZD0iTTEyLjI2ODUgODQuNzM0Mmg1NC4xNTNsLTIzLjI3My03MS42MjVjLTEuMTk3LTMuNjg2LTYuNDExLTMuNjg1LTcuNjA4IDBsLTIzLjI3MiA3MS42MjV6IiBmaWxsPSIjZTI0MzI5Ii8+CiAgPHBhdGggZD0iTTEwNS4wNjE0IDIwMy42NTQ4bDM4LjY0LTExOC45MjFoNTQuMTUzbC05Mi43OTMgMTE4LjkyMXoiIGZpbGw9IiNmYzZkMjYiLz4KICA8cGF0aCBkPSJNMTk3Ljg1NDQgODQuNzM0MWwxMS43NDIgMzYuMTM5YzEuMDcxIDMuMjk2LS4xMDIgNi45MDctMi45MDYgOC45NDRsLTEwMS42MjkgNzMuODM4IDkyLjc5My0xMTguOTIxeiIgZmlsbD0iI2ZjYTMyNiIvPgogIDxwYXRoIGQ9Ik0xOTcuODU0NCA4NC43MzQyaC01NC4xNTNsMjMuMjczLTcxLjYyNWMxLjE5Ny0zLjY4NiA2LjQxMS0zLjY4NSA3LjYwOCAwbDIzLjI3MiA3MS42MjV6IiBmaWxsPSIjZTI0MzI5Ii8+Cjwvc3ZnPgo=\" alt=\"GitLab Logo\" /><br />\n </h1>\n <div class=\"container\">\n <div class=\"cf-browser-verification cf-im-under-attack\">\n <noscript>\n <h1 data-translate=\"turn_on_js\" style=\"color:#bd2426;\">Please turn JavaScript on and reload the page.</h1>\n </noscript>\n <div id=\"cf-content\" style=\"display:none\">\n \n <div id=\"cf-bubbles\">\n <div class=\"bubbles\"></div>\n <div class=\"bubbles\"></div>\n <div class=\"bubbles\"></div>\n </div>\n <h1><span data-translate=\"checking_browser\">Checking your browser before accessing</span> gitlab.com.</h1>\n \n <div id=\"no-cookie-warning\" class=\"cookie-warning\" data-translate=\"turn_on_cookies\" style=\"display:none\">\n <p data-translate=\"turn_on_cookies\" style=\"color:#bd2426;\">Please enable Cookies and reload the page.</p>\n </div>\n <p data-translate=\"process_is_automatic\">This process is automatic. Your browser will redirect to your requested content shortly.</p>\n <p data-translate=\"allow_5_secs\">Please allow up to 5 seconds…</p>\n </div>\n \n <form class=\"challenge-form\" id=\"challenge-form\" action=\"/users/sign_in?__cf_chl_jschl_tk__=82fe7c8dfb049ee55eb4699e34e1ece2510ca3b1-1608122288-0-AVX7hYwD90lLUcvfyr6Uo7n1DqkexAJR0I3BZcL3SVWH4VP4nn-MG2yc4OS_IET0RYKm1qcWkSRHVi_mARLF17fyVYl2EjjVXkb57NnZ0lxO3n-knIoeAJ_1nLRzgHxfpAc5l-TbYsyU3xc_q--w3J9XqXFCcVduCXY1aQeQ0-xcREU21jC5pXsF7yJ_gWn520AMc4ey8B956g8Uf_jXjzDoC56jU4eGNeSFIuHZRMvIf5uDPEyQc04mUygs7Yp4AoxWCAiJ5etKX3fDnVcJixCTpXZuGrlmnNvBGUd__umg_G9HyYKTlBT4tBUIa7bz-MbZ2ryyDUp2YVenHP1Cn7hbu2Y4GScOKyP8vOEWSJq-XwPlskF-K8Nl7e-c15yw0A\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\">\n <input type=\"hidden\" name=\"r\" value=\"d8c17961b9b9040774b52ae3618158f8ea61fcf3-1608122288-0-ARkFJuY1KiDUrKPQb8HBcF7AGKHJTunFp6Ja9D2yiORm3VzJYipILeGSCXiI6qflhYoYmSkpICweOaAAOQdWvZtJAj08PuHvCMiVze9EpKzhlKiUM4c9LRlBaFhuPSVbO3GSSiN4wzsqCBvoyRvXHw+3f66DpakpzObu+ka0S9BkNCGWAGW+YmkGr18NPwx+k/Vwd4vSqWjbORkmRmmdQN3X/zthmwFQjY7MLm1Oql9siYWD8H8xnlUBJ8c5+WsDfrC+9PrIhvugvmO/nDDN3JaxfA6iRaxx1YHfPw/xO8pwZI59xnhL+V1HtUJtS1z0t38L/TsjXObxmHkwfDsGyuaniA2sVBZStJz9n17hnDOazRq+JXu/41ydqdkRt1kzgMm/GHkPuV6+4pWsY3pMXlBZ75MiajtmA5GLSf0xkmhzb/oQ3KbBfgdwoVpxDrWM6UCH6INqhkFbOrdb0iJmklRjAdtkpmbENSuFK8jMJ2PAqOiI6NdJwJ9sBVLEvXj9N47xqZndFteV0fOxRdTnyZFylqVvw1FyPZXI/QuMn/S6CUNRv19gmB8M6JMW3jm2gsZBMFlyE4fpglwJEbb8D0N7krdJpPOJt1/sMHD9vzlaSZNilrhEGNcWgyyvlSHTNHlmnnnKpJCoMtqkDpGVL1mJ2SaR8nBVLKzQE+E9YuXFEBTysnWlVNtJrMWWO5OwB/cFY+Yq27wagqoOY9tbF1K2l6lzEVO653Zw07P3h2k54WXnzPszlDEUgLELMCyNWaMZMyo4Mm5I08FS+xy0UiAqg+fRcImlhfhFtt1KUrCygnBIoFdCm+nYgm6z19+GJnTjEDFQPnPligCTf66h0PLHP8Teiotokbqk9yTJEtIuvaq+EfiaNneGzTwLEsk9IBKHMTHfjnR87hitHOOFcWlSIEZpZg0ble5l7Ge+8OG1ROyh7byVUJFvs08ngvnMrtR+/yMHn8pILn1gNJMIn4tmmoPfjfvAMmttAz9NCOP6z97CSYYa6bGtyFS3y1Vzzc+dgk0iZIU/XiyFU3bnQtScGqHR6KzGbuZjwzfICKJPShggqHzyvF/wFW6yb3O0uO9MEqkV0H+2TLUcZ/t8Q5xJVeU1GRFJr3U3Mh5rZC75SOhGFgeRu46e15hD20UmEpvxaYy3NzpGadFdi+huSs8j1BIYBc9K5Fv2JHFuZqxNghPO/mIIe72r6c99rVYmz5vJbzu/jmltbege/yK3nyD2u+pgH6rLgAm3GcxceKHrVmc5NuCW++HYn6zjLpLNQ/vLShqKjBIFtsoeKda06ODzrmlC8V4ChNiGfE/SzDVqeBzp2GP/fwjRrtHN2+Utxhtjtc71Qda9qeWvdnCQcEq5VDNFWW0/onSCQx+gHyMXlzxaF2w/4ZXnEooX/obbpZpuBGGBCvpzNQVmkrsy0zDfJ7hay6pWA2K6qKVntQswufHKg2KUcStpNyMaBSEsm0g8arBojqXlmhEUO1Wc3g+wCr7TacSSMZL9QSVzxrqnlLsh3bPZ/LA/HPKmgJ/wCiqhjw2uKjubT17UC7WHyBrsY6NQybwYF1bIVPbjyTQpgdHFv9TUU1nBE2rmKVaPxOWSaidy/ebcCavZO3VYaTAPG7ABV71Wr5eN9NkUXd3u7Xzc9gxpT7AV+fB5bHmdZA==\"/>\n <input type=\"hidden\" value=\"d74bab1a300e61b7b6f3da6d755c831b\" id=\"jschl-vc\" name=\"jschl_vc\"/>\n <!-- <input type=\"hidden\" value=\"\" id=\"jschl-vc\" name=\"jschl_vc\"/> -->\n <input type=\"hidden\" name=\"pass\" value=\"1608122292.011-JkJCEPrNi6\"/>\n <input type=\"hidden\" id=\"jschl-answer\" name=\"jschl_answer\"/>\n </form>\n \n <div id=\"trk_jschal_nojs\" style=\"background-image:url('/cdn-cgi/images/trace/jschal/nojs/transparent.gif?ray=602875abe8bd7263')\"> </div>\n</div>\n\n <hr />\n </div>\n</body>\n</html>"
What is the expected correct behavior?
Docker pulls as expected (this is a non sso enabled private group)
Trying to pull repository gitlab.com/acme-org-dependency-proxy/dependency_proxy/containers/node ...
latest: Pulling from gitlab.com/acme-org-dependency-proxy/dependency_proxy/containers/node
22f9b9782fc3: Pull complete
2c75c9e56a8a: Pull complete
b31d19b99daa: Pull complete
e000cbf49b08: Pull complete
892def1a6f88: Pull complete
0581e893c9eb: Pull complete
0ad0885e5e6f: Pull complete
bdae7f78fe28: Pull complete
f328a27cd263: Pull complete
Digest: sha256:74026731a623413fbdb99552b3a17f806ca9c3b4c685e08aa21472024de403b0
Status: Downloaded newer image for gitlab.com/acme-org-dependency-proxy/dependency_proxy/containers/node:latest
Results of GitLab environment info
GitLab.com
@sabrams o/
Edited by Bren Whyte