Add specification for using oauth with the token server

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-02-11 13:55:23 -08:00 · 2016-02-11 13:55:23 -08:00 · d8b59ab637
commit d8b59ab637
parent bf991fec01
3 changed files with 155 additions and 8 deletions
--- a/docs/spec/auth/token.md
+++ b/docs/spec/auth/token.md
@ -91,6 +91,8 @@ challenge, the client will need to make a `GET` request to the URL

 ## Requesting a Token

+Defines getting a bearer and refresh token using the token endpoint.
+
 #### Query Parameters

 <dl>
@ -100,6 +102,15 @@ challenge, the client will need to make a `GET` request to the URL
    <dd>
        The name of the service which hosts the resource.
    </dd>
+    <dt>
+        <code>offline_token</code>
+    </dt>
+    <dd>
+        Whether to return a refresh token along with the bearer token. A refresh
+        token is capable of getting additional bearer tokens for the same
+        subject with different scopes. The refresh token does not have an
+        expiration and should be considered completely opaque to the client.
+    </dd>
    <dt>
        <code>scope</code>
    </dt>
@ -109,7 +120,9 @@ challenge, the client will need to make a `GET` request to the URL
        shown above. This query parameter should be specified multiple times if
        there is more than one <code>scope</code> entry from the <code>WWW-Authenticate</code>
        header. The above example would be specified as:
-        <code>scope=repository:samalba/my-app:push</code>.
+        <code>scope=repository:samalba/my-app:push</code>. The scope field may
+        be empty to request a refresh token without providing any resource
+        permissions to the returned bearer token.
    </dd>
 </dl>

@ -150,6 +163,16 @@ challenge, the client will need to make a `GET` request to the URL
        standard time at which a given token was issued. If <code>issued_at</code> is omitted, the
        expiration is from when the token exchange completed.
    </dd>
+    <dt>
+        <code>refresh_token</code>
+    </dt>
+    <dd>
+        (Optional) Token which can be used to get additional access tokens for
+        the same subject with different scopes. This token should be kept secure
+        by the client and only sent to the authorization server which issues
+        bearer tokens. This field will only be set when `offline_token=true` is
+        provided in the request.
+    </dd>
 </dl>

 #### Example
@ -161,11 +184,12 @@ https://auth.docker.io/token?service=registry.docker.io&scope=repository:samalba
 ```

 The token server should first attempt to authenticate the client using any
-authentication credentials provided with the request. As of Docker 1.8, the
-registry client in the Docker Engine only supports Basic Authentication to
-these token servers. If an attempt to authenticate to the token server fails,
-the token server should return a `401 Unauthorized` response indicating that
-the provided credentials are invalid.
+authentication credentials provided with the request. From Docker 1.11 the
+Docker engine supports both Basic Authentication and [OAuth2](oauth.md) for
+getting tokens. Docker 1.10 and before, the registry client in the Docker Engine
+only supports Basic Authentication. If an attempt to authenticate to the token
+server fails, the token server should return a `401 Unauthorized` response
+indicating that the provided credentials are invalid.

 Whether the token server requires authentication is up to the policy of that
 access control provider. Some requests may require authentication to determine