Add support for refresh token in Docker registry login

Description

The Docker registry authentication endpoint (https://[...]/jwt/auth) currently simply returns a token in the authentication response. This makes docker login store the users plaintext password, either in ~/.docker/config.json (base64-encoded), or the users keychain (depending on the Docker setup on the machine).

Docker has support for replacing the password of the user with a refresh token. If the client includes the offline_access=true request parameter, the authentication service can return a refresh_token attribute in addition to the token attribute. If the authentication service does that, the Docker client will store the refresh token instead of the user's password.

The benefit of this is primarily that users don't inadvertently save their password unencrypted on their workstation or on servers where they run docker login. Another advantage is that the refresh token can be limited to only be valid for granting access to the container registry. This means that they are more restricted than the personal access tokens that you can use instead of passwords in GitLab.

Proposal

Add code to the Docker registry authentication endpoint to:

1. Generate and return a refresh token to the client if it requests it (through the offline_access query parameter).
2. Handle authentication requests using the refresh token.

Some way to revoke the refresh token is also required. There are a couple of alternatives here. The simple way may be to tie the refresh token to the password or personal access token that generated it, and revoke it if they are changed / revoked. A better solution would be to give the user an interface to manage the refresh tokens (maybe on the same page as the page for managing personal access tokens?).

Links / references

• Docker registry token response field documentation
• Code in Docker that removes passwords from stored credentials