This post will describe how to setup a docker registry using distribution/distribution to allow for “passwordless” authentication. Now of course, this is not actually passwordless, there’s still a password. But we can (ab)use the fact that both GitLab CI and GitHub Actions give you a JWT signed by the platform, valid for the duration of the run.


Preparing authentik

Setting up federation - GitHub

Create an OpenID Connect Source and set the JWKS URL to All the other fields can be set to random values

Setting up federation - GitLab

Create an OpenID Connect Source and set the Well-known URL to if using GitLab SaaS or if using a self-hosted instance. All the other fields can be set to random values

Setting up the provider

Create a scope mapping for the scope docker-registry with this expression

push_group = "acl_docker_push"

scopes = request.http_request.POST.get("scope", "").split()
access = []
for scope in scopes:
    if scope.count(":") < 2:
    type, name, actions = scope.split(":")
    if not ak_is_group_member(user, name=push_group):
        actions = "pull"
            "type": type,
            "name": name,
            "actions": actions.split(","),
return {
    "access": access,

Create an OAuth2 Provider, make sure that a signing key is selected, select the mapping created above, and select the OpenID Source as JWKS Source. Take note of the Client ID.

Create an application and select the provider.

Also make sure to select a signing key, and download the certificate of the selected key.

Preparing the token service

As a “glue” between the Docker distribution itself and any OIDC Provider, we’ll use

This service will take the JWT generated by GitHub/GitLab, authenticate to the configured OIDC provider, and return the providers JWT as a docker token. This is required because the way the docker client requests a certificate is close to standard OAuth, but slightly different.

To configure this service, set these environment variables:

TOKEN_URL= # Token endpoint of authentik
CLIENT_ID=693e60deada0b71e8ecb3d078e4ebaaf08624e55 # Client ID from above
SCOPE=docker-registry # Scope of the mapping from above
PASS_JWT_USERNAME=JWT # Special username that will allow the usage of a JWT as password

This service then needs to be publicly accessible, in this case I created a Kubernetes ingress for the registry that sends /token to this service.

Setup the registry itself

This requires version 3 of the official docker registry, which is currently in Alpha. For this setup I used

The downloaded certificate from authentik also needs to be mounted into the container.

The main configuration options required for this setup are these environment variables:

REGISTRY_AUTH_TOKEN_REALM= # Full URL to the /token endpoint of the helper service
REGISTRY_AUTH_TOKEN_SERVICE=693e60deada0b71e8ecb3d078e4ebaaf08624e55 # Same client ID as above
REGISTRY_AUTH_TOKEN_JWKS=/srv/docker/cert/trusted.pem # Path to the mounted certificate

Before you can use it

Since all the users from this setup will be created automatically when they first authenticate, the first build will fail. This is because by default that user will not be a member in the correct group to allow docker pushes.

Using it - GitHub

Use this snippet in your GitHub actions workflow

  contents: read
  id-token: write

    runs-on: ubuntu-latest
    # [...] Checkout, etc
    - name: Get GitHub JWT
      id: jwt
      run: |
        JWT=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r .value)
        echo "::set-output name=token::${JWT}"        
    - name: Login to Container Registry
      uses: docker/login-action@v2
        username: JWT
        password: ${{ steps.jwt.outputs.token }}

Using it - GitLab

  stage: build
    entrypoint: [""]
    - mkdir -p /kaniko/.docker
    - echo "{\"auths\":{\"\":{\"auth\":\"$(printf "%s:%s" "JWT" "${CI_JOB_JWT_V2}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
    - >-
      --context "${CI_PROJECT_DIR}"
      --dockerfile "${CI_PROJECT_DIR}/Dockerfile"
      --destination ""      


See, and