git.stella-ops.org/docs/modules/registry/architecture.md

Registry Token Service architecture

Overview

Registry Token Service issues short-lived Docker registry bearer tokens for private or mirrored registries. It is designed for offline/self-hosted operation and enforces plan/licence constraints before minting any registry token.

The service is intentionally small:

• One HTTP endpoint: GET /token
• Stateless authorization decisions based on (a) Authority-issued identity token claims and (b) local configuration

Primary responsibilities

• Validate caller identity using Authority-issued tokens (deployment profile may use bearer-only, DPoP, and/or mTLS).
• Authorize requested registry scopes against a configured plan catalogue.
• Deny issuance for revoked licences.
• Mint a Docker-registry-compatible JWT with an access claim covering the permitted repository actions.
• Emit deterministic observability signals (metrics + structured logs) for audits and ops.

Runtime components

Minimal API host

• Project: src/Registry/StellaOps.Registry.TokenService
• Endpoints:
  • GET /token (authorized)
  • GET /healthz (unauthenticated liveness)

Auth integration

• Resource server validation is configured from RegistryTokenService:Authority.
• Authorization policy name: registry.token.issue
• Required scopes default to registry.token.issue (configurable via RegistryTokenService:Authority:RequiredScopes).

Plan registry (authorization rules)

• The caller's plan is read from stellaops:plan claim (fallback: configured DefaultPlan).
• Licence revocation uses stellaops:license claim and configured RevokedLicenses.
• Plan rules match repositories by wildcard pattern (*) and validate requested actions (pull, push, etc.) as a subset of allowed actions.

Token issuer

• Tokens are signed with an RSA private key loaded from RegistryTokenService:Signing:KeyPath (PEM or PFX).
• aud defaults to the requested registry service value unless Signing:Audience is configured.
• Token lifetime is configured and bounded (1s..1h, default 5m).

Observability

• OpenTelemetry metrics:
  • registry_token_issued_total{plan=...}
  • registry_token_rejected_total{reason=...}
• Structured logs via Serilog request logging.

Request flow

1. Docker/OCI client receives a 401 from the registry with a WWW-Authenticate: Bearer realm=...,service=...,scope=repository:... challenge.
2. Client obtains an Authority token with the registry.token.issue scope (and any required sender constraints for the deployment).
3. Client calls GET /token?service=<service>&scope=repository:<repo>:<actions> on Registry Token Service.
4. Service validates:
   • service is present (and is allow-listed if AllowedServices is configured)
   • requested scopes parse correctly
   • caller plan/licence claims authorize all requested repository actions
5. Service returns a JSON response containing the signed registry token.

Denial paths:

• 400 for malformed requests (service missing, invalid scope query).
• 403 for authorization failures (plan/licence/policy denies).

Token shape (Docker registry compatible)

The issued JWT includes:

• sub: subject derived from nameidentifier/client_id/sub claims
• service: the requested registry service
• access: array of { type, name, actions[] } entries (type is repository)
• Optional: stellaops:license passthrough claim (for downstream correlation)

Configuration

Configuration is loaded from:

• etc/registry-token.yaml (optional)
• environment variables prefixed with REGISTRY_TOKEN_

Key sections are defined by RegistryTokenServiceOptions:

• Authority (issuer/metadata, audiences, required scopes)
• Signing (issuer, key, lifetime, optional audience/kid)
• Registry (realm, allow-listed service values)
• Plans, DefaultPlan, RevokedLicenses

References

• Operations/runbook: docs/modules/registry/operations/token-service.md