Hub: allow access tokens for organizations

[marcelstoer]

Tell us about your request
Docker Hub organizations should be able to hand out access tokens which grant access to all org repos.

Which service(s) is this request for?
Docker Hub

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
I am one of the owners of a Docker Hub organization. The org maintains a couple of public repos for open-source projects. We push images into those repos from a GitHub Actions workflow. Hence, we need an access token to authenticate against Docker Hub. However, which token to use?

Are you currently working around the issue?
An (arbitrary) owner of the organization created a dedicated access token which we use to push images to an org repo.

Additional context
n/a

[derKrischan]

Our org is also in need for tokens in scope of the organization. At the moment we're using personal access tokens as a work around. Nevertheless, this alway leaves the risk that if a member leaves the organization who's PAT was used for eg a pipeline, out of a sudden the pipeline stops working.

I suggest that owners of a Docker Hub organization should be able to manage tokens for the organization.

[technicallyjosh]

Hey all, an update here from engineering.

This is something that we know has been asked for for years. We too have this issue internally and I wanted to let you know that we are currently working on some ideas on how to best accomplish this. I can't say much currently, but I can tell you that we are actively working towards some sort of solution here. 😄

We will keep you all posted as we progress on this.

[jHubbsy]

Question: Considering @technicallyjosh response, does this mean that any personal access tokens I have set up for my user in docker hub will be valid for any repositories that exist under an organization that I am a part of?

[technicallyjosh]

Yes that is how it works currently @jHubbsy. I can confirm however that we plan to allow for fine-grained access for these PATs in the future. More to come on that as we are working out a solid roadmap around authentication/authorization right now.

A little context on that behavior: Your PAT will only have access to the repos you actually have access to. We take into consideration any contributor status or ones you have access to and the level in your organizations. e.g. read only PAT can't read repos you aren't explicitly added to via groups and "read" access in repo management for your org.

[technicallyjosh]

Hello friends, just an update here.

I'm happy to confirm that we have started planning the work on org-scoped tokens 😄 We will have more to share soon! 🎉

No timeline quite yet, but it's coming!

[technicallyjosh]

Hey all, we've just released the first iteration of this!

https://www.docker.com/blog/introducing-organization-access-tokens/

[ivotron]

thanks for this feature! I tried it out today to work with the REST API but got this:

Cannot log into an organization account

I assume that means that these tokens cannot be used with the API, is that correct? the documentation mentions that "You can use an organization access token when you sign in using Docker CLI" but it doesn't say that it is the only way they work. If this is limited to the CLI, it would be good to clarify on the docs.

thank you!

[technicallyjosh]

I assume that means that these tokens cannot be used with the API, is that correct?

Hey sorry for the delay. Yes, correct, we do not support it (yet) on the API. We will be adding more scopes in the near future that will make that type of log in make sense. We started out with just registry access for now. I can say that we'll add more scopes and abilities after we finish our work here soon on Scout and Build Cloud capabilities with OATs.

[asfernandes]

Is this available for Free Team Orgs?
I cannot see it.