Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password

static/directives/config/config-setup-tool.html

@@ -622,14 +622,14 @@
       <div class="co-panel-body">
         <div class="description">
           <p>
-            Authentication for the registry can be handled by either the registry itself, LDAP, Keystone, OIDC or external JWT endpoint.
+            Authentication for the registry can be handled by either the registry itself, LDAP, Keystone, or external JWT endpoint.
           </p>
           <p>
             Additional <strong>external</strong> authentication providers (such as GitHub) can be used in addition for <strong>login into the UI</strong>.
           </p>
         </div>
 
-        <div ng-if="config.AUTHENTICATION_TYPE != 'OIDC'">
+        <div ng-if="config.AUTHENTICATION_TYPE != 'AppToken'">
           <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE != 'Database' && !config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
             It is <strong>highly recommended</strong> to require encrypted client passwords. External passwords used in the Docker client will be stored in <strong>plaintext</strong>!
             <a ng-click="config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH = true">Enable this requirement now</a>.
@@ -650,7 +650,7 @@
                 <option value="LDAP">LDAP</option>
                 <option value="Keystone">Keystone (OpenStack Identity)</option>
                 <option value="JWT">JWT Custom Authentication</option>
-                <option value="OIDC">OIDC Token Authentication</option>
+                <option value="AppToken" ng-if="config.FEATURE_APP_SPECIFIC_TOKENS">External Application Token</option>
               </select>
             </td>
           </tr>
@@ -690,21 +690,6 @@
           </tr>
         </table>
 
-        <!--  OIDC Token Authentication -->
-        <table class="config-table" ng-if="config.AUTHENTICATION_TYPE == 'OIDC'">
-          <tr>
-            <td>OIDC Provider:</td>
-            <td>
-              <select class="form-control" ng-model="config.INTERNAL_OIDC_SERVICE_ID" ng-if="getOIDCProviders(config).length">
-                <option value="{{ getOIDCProviderId(provider) }}" ng-repeat="provider in getOIDCProviders(config)">{{ config[provider]['SERVICE_NAME'] || getOIDCProviderId(provider) }}</option>
-              </select>
-              <div class="co-alert co-alert-danger" ng-if="!getOIDCProviders(config).length">
-                An OIDC provider must be configured to use this authentication system
-              </div>
-            </td>
-          </tr>
-        </table>
-
         <!--  Keystone Authentication -->
         <table class="config-table" ng-if="config.AUTHENTICATION_TYPE == 'Keystone'">
           <tr>
@@ -782,7 +767,7 @@
               <div class="help-text">
                 A certificate containing the public key portion of the key pair used to sign
                 the JSON Web Tokens. This file must be in PEM format.
-              </div
+              </div>
             </td>
           </tr>
           <tr>
@@ -1091,7 +1076,7 @@
             <span style="display: inline-block; margin-left: 10px">(<a href="javascript:void(0)" ng-click="removeOIDCProvider(provider)">Delete</a>)</span>
           </div>
           <div class="co-panel-body">
-            <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE && config.AUTHENTICATION_TYPE != 'Database' && config.AUTHENTICATION_TYPE != 'OIDC' && !(config[provider].LOGIN_BINDING_FIELD)">
+            <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE && config.AUTHENTICATION_TYPE != 'Database' && config.AUTHENTICATION_TYPE != 'AppToken' && !(config[provider].LOGIN_BINDING_FIELD)">
               Warning: This OIDC provider is not bound to your <strong>{{ config.AUTHENTICATION_TYPE }}</strong> authentication. Logging in via this provider will create a <strong><span class="registry-name"></span>-only user</strong>, which is not the recommended approach. It is <strong>highly</strong> recommended to choose a "Binding Field" below.
             </div>
 
@@ -1152,7 +1137,7 @@
                   </div>
                 </td>
               </tr>
-              <tr ng-if="config.AUTHENTICATION_TYPE != 'Database' && config.AUTHENTICATION_TYPE != 'OIDC'">
+              <tr ng-if="config.AUTHENTICATION_TYPE != 'Database' && config.AUTHENTICATION_TYPE != 'AppToken'">
                 <td>Binding Field:</td>
                 <td>
                   <select class="form-control" ng-model="config[provider].LOGIN_BINDING_FIELD">
@@ -1234,6 +1219,28 @@
               </div>
             </td>
           </tr>
+          <tr>
+            <td class="non-input">External Application tokens</td>
+            <td colspan="2">
+              <div class="config-bool-field" binding="config.FEATURE_APP_SPECIFIC_TOKENS">
+                Allow external application tokens
+              </div>
+              <div class="help-text">
+                  If enabled, users will be able to generate external application tokens for use on the Docker and rkt CLI. Note
+                  that these tokens will <strong>not be required</strong> unless "App Token" is chosen as the Internal Authentication method above.
+               </div>
+             </td>
+          </tr>
+          <tr ng-if="config.FEATURE_APP_SPECIFIC_TOKENS">
+              <td>External application token expiration</td>
+              <td colspan="2">
+                <span class="config-string-field" binding="config.APP_SPECIFIC_TOKEN_EXPIRATION"
+                      pattern="[0-9]+(m|w|h|d|s)" is-optional="true"></span>              
+                <div class="help-text">
+                  The expiration time for user generated external application tokens. If none, tokens will never expire.
+                </div>
+               </td>
+            </tr>
           <tr>
             <td class="non-input">Anonymous Access:</td>
             <td colspan="2">