For Harbor Registry, Catalog listing is not working with Bearer Token. Receiving 401 unauthorized token

Question

While doing catalog listing using the Bearer token, I am receiving 401 unauthorized error.
Docker Version: 19.03.11
Docker Compose Version: 1.26.0
Used harbor v2.0.0 online installer.

Below is what I have done.
Getting authentication details:

[root@localhost ~ ] curl -v -k http://<harbor registry server>/v2/  
About to connect() to <harbor registry server> port 80 (#0)  
Trying **.**.**.**...  
Connected to <harbor registry server> (**.**.**.**) port 80 (#0)  
GET /v2/ HTTP/1.1  
User-Agent: curl/7.29.0  
Host: <harbor registry server>  
Accept: */*  
HTTP/1.1 401 Unauthorized  
Server: nginx  
Date: Wed, 25 Nov 2020 05:01:54 GMT  
Content-Type: application/json; charset=utf-8  
Content-Length: 76  
Connection: keep-alive  
Docker-Distribution-Api-Version: registry/2.0  
Set-Cookie: sid=bc1dfc03bfab8e5802ddf950d1048b37; Path=/; HttpOnly  
**Www-Authenticate: Bearer realm="http://<harbor registry server>/service/token",service="harbor-registry"**  
X-Request-Id: f10c0e6a-4bde-496f-9bd2-897d1d2de0cb  
   
{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized: unauthorized"}]}  

Request to get the token:

curl -k -v -u 'admin:Harbor12345' http://<harbor registry server>/service/token?service=harbor-registry&scope=registry:catalog:*  

Response

1] 23529  
[root@localhost ~ ] * About to connect() to <harbor registry server> port 80 (#0)  

Trying ......  
Connected to <harbor registry server> (...) port 80 (#0)  
Server auth using Basic with user 'admin'  
GET /service/token?service=harbor-registry HTTP/1.1  
Authorization: Basic YWRtaW46SGFyYm9yMTIzNDU=  
User-Agent: curl/7.29.0  
Host: <harbor registry server>  
Accept: /  
HTTP/1.1 200 OK  
Server: nginx  
Date: Mon, 23 Nov 2020 08:39:47 GMT  
Content-Type: application/json; charset=utf-8  
Content-Length: 1122  
Connection: keep-alive  
Set-Cookie: sid=d52190099e5a2a55de383e3ec4407aad; Path=/; HttpOnly  
X-Request-Id: a190671a-6d52-4a90-8022-8762b8843d0f  
X-Frame-Options: DENY  
Content-Security-Policy: frame-ancestors 'none'  
  
{  
"token": "zzzz",  
"access_token": "",  
"expires_in": 1800,  
"issued_at": "2020-11-23T08:39:47Z"  
Connection #0 to host <harbor registry server> left intact  

Now setting the TOKEN to a token value.

[root@localhost ~ ]  TOKEN=zzzz 

Command to do the catalog listing

[root@localhost ~ ] **curl -v -k -H "Authorization: Bearer $TOKEN" http://<harbor registry server>/v2/_catalog***   

About to connect() to <harbor registry server> port 80 (#0)  
Trying ......  
Connected to <harbor registry server> (...) port 80 (#0)  
GET /v2/_catalog HTTP/1.1  
User-Agent: curl/7.29.0  
Host: <harbor registry server>  
Accept: /  
Authorization: Bearer zzzz

HTTP/1.1 401 Unauthorized  
Server: nginx  
Date: Mon, 23 Nov 2020 08:45:52 GMT  
Content-Type: application/json; charset=utf-8  
Content-Length: 108  
Connection: keep-alive  
Docker-Distribution-Api-Version: registry/2.0  
Set-Cookie: sid=7657dcb0d2bdfd962d25995ec4bb11ed; Path=/; HttpOnly  
Www-Authenticate: Basic realm="harbor"  
X-Request-Id: db841f81-a1ff-4498-8387-980de1282433  
{"errors":[{"**code":"UNAUTHORIZED","message":"unauthorized to list catalog: unauthorized to list catalog**"}]}  

Any ideas what am I missing?

Answer 1

All v2 APIs support basic authorization from harbor v2.0.
https://github.com/goharbor/harbor/issues/13573

Use:

TOKEN=$(echo -n '<your username>:<your password>' | base64) 
curl -v -k -H "Authorization: Basic $TOKEN" http://<harbor registry server>/v2/_catalog

Note: if you want to access docker registry 'http://<harbor registry server/v2/_catalog', user need to be a admin user.

I try to use a robot account with 'List Repository' permission on harbor v2.5, but failed.
Success get respositories catalog by use a new created user who has been set as admin.

root@harbor:~/bin# TOKEN=$(echo -n 'robot$myuser:<robot myuser's key>' | base64)
root@harbor:~/bin# curl -ikL -X GET -H "Content-Type: application/json" -H "Authorization: Basic ${TOKEN}" https://<my harbor registry server>/v2/_catalog
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Tue, 19 Jul 2022 02:24:48 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 108
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
Set-Cookie: sid=55396cb4252801332505b4cd48fdbf73; Path=/; HttpOnly
Www-Authenticate: Basic realm="harbor"
X-Request-Id: e974235d-75df-49f5-b366-1010933a6cc4

{"errors":[{"code":"UNAUTHORIZED","message":"unauthorized to list catalog: unauthorized to list catalog"}]}

---

root@harbor:~/bin# TOKEN=$(echo -n 'phanx:<phanx's password>' | base64)
root@harbor:~/bin# curl -ikL -X GET -H "Content-Type: application/json" -H "Authorization: Basic ${TOKEN}" https://<my harbor registry server>/v2/_catalog
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 19 Jul 2022 02:35:27 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: sid=5b3b90706cdf0077695b97286882a397; Path=/; HttpOnly
X-Request-Id: 8734215d-a892-41bc-b531-9ba4e5a7bcfb
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'

{"repositories":["library/afms-engine","library/nginx"]}