Store token into caffeine cache (#631)

Signed-off-by: Valentin Delaye <jonesbusy@users.noreply.github.com>

Author: jonesbusy

pom.xml

@@ -60,6 +60,7 @@
     <apache.common-compress.version>1.28.0</apache.common-compress.version>
     <zstd-jni.version>1.5.7-7</zstd-jni.version>
     <bcprov-jdk18on.version>1.83</bcprov-jdk18on.version>
+    <caffeine.version>3.2.3</caffeine.version>
 
     <!-- Test dependencies version -->
     <logback.version>1.5.32</logback.version>
@@ -120,6 +121,11 @@
         <artifactId>logback-classic</artifactId>
         <version>${logback.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.github.ben-manes.caffeine</groupId>
+        <artifactId>caffeine</artifactId>
+        <version>${caffeine.version}</version>
+      </dependency>
       <dependency>
         <groupId>com.github.luben</groupId>
         <artifactId>zstd-jni</artifactId>
@@ -185,6 +191,10 @@
 
   <!-- Dependencies -->
   <dependencies>
+    <dependency>
+      <groupId>com.github.ben-manes.caffeine</groupId>
+      <artifactId>caffeine</artifactId>
+    </dependency>
     <dependency>
       <groupId>com.github.luben</groupId>
       <artifactId>zstd-jni</artifactId>

src/main/java/land/oras/Registry.java

@@ -200,7 +200,7 @@ public Tags getTags(ContainerRef containerRef) {
         }
         URI uri = URI.create("%s://%s".formatted(getScheme(), ref.getTagsPath(this)));
         HttpClient.ResponseWrapper<String> response = client.get(
-                uri, Map.of(Const.ACCEPT_HEADER, Const.DEFAULT_JSON_MEDIA_TYPE), Scopes.of(this, ref), authProvider);
+                uri, Map.of(Const.ACCEPT_HEADER, Const.DEFAULT_JSON_MEDIA_TYPE), Scopes.of(ref), authProvider);
         logResponse(response);
         handleError(response);
         return JsonUtils.fromJson(response.response(), Tags.class)
@@ -215,7 +215,7 @@ public Tags getTags(ContainerRef containerRef, int n, @Nullable String last) {
         }
         URI uri = URI.create("%s://%s".formatted(getScheme(), ref.getTagsPath(this, n, last)));
         HttpClient.ResponseWrapper<String> response = client.get(
-                uri, Map.of(Const.ACCEPT_HEADER, Const.DEFAULT_JSON_MEDIA_TYPE), Scopes.of(this, ref), authProvider);
+                uri, Map.of(Const.ACCEPT_HEADER, Const.DEFAULT_JSON_MEDIA_TYPE), Scopes.of(ref), authProvider);
         logResponse(response);
         handleError(response);
         return JsonUtils.fromJson(response.response(), Tags.class)
@@ -232,7 +232,7 @@ && getRegistriesConf().isInsecure(ContainerRef.parse(registry).forRegistry(regis
         ContainerRef ref = ContainerRef.parse("default").forRegistry(this);
         URI uri = URI.create("%s://%s".formatted(getScheme(), ref.getRepositoriesPath(this)));
         HttpClient.ResponseWrapper<String> response = client.get(
-                uri, Map.of(Const.ACCEPT_HEADER, Const.DEFAULT_JSON_MEDIA_TYPE), Scopes.of(this, ref), authProvider);
+                uri, Map.of(Const.ACCEPT_HEADER, Const.DEFAULT_JSON_MEDIA_TYPE), Scopes.of(ref), authProvider);
         logResponse(response);
         handleError(response);
         return JsonUtils.fromJson(response.response(), Repositories.class);
@@ -249,7 +249,7 @@ public Referrers getReferrers(ContainerRef containerRef, @Nullable ArtifactType
         }
         URI uri = URI.create("%s://%s".formatted(getScheme(), ref.getReferrersPath(this, artifactType)));
         HttpClient.ResponseWrapper<String> response = client.get(
-                uri, Map.of(Const.ACCEPT_HEADER, Const.DEFAULT_INDEX_MEDIA_TYPE), Scopes.of(this, ref), authProvider);
+                uri, Map.of(Const.ACCEPT_HEADER, Const.DEFAULT_INDEX_MEDIA_TYPE), Scopes.of(ref), authProvider);
         logResponse(response);
         handleError(response);
         return JsonUtils.fromJson(response.response(), Referrers.class);
@@ -266,7 +266,7 @@ public void deleteManifest(ContainerRef containerRef) {
             return;
         }
         URI uri = URI.create("%s://%s".formatted(getScheme(), ref.getManifestsPath(this)));
-        HttpClient.ResponseWrapper<String> response = client.delete(uri, Map.of(), Scopes.of(this, ref), authProvider);
+        HttpClient.ResponseWrapper<String> response = client.delete(uri, Map.of(), Scopes.of(ref), authProvider);
         logResponse(response);
         handleError(response);
     }
@@ -297,7 +297,7 @@ public Manifest pushManifest(ContainerRef containerRef, Manifest manifest) {
                 uri,
                 manifestData,
                 Map.of(Const.CONTENT_TYPE_HEADER, Const.DEFAULT_MANIFEST_MEDIA_TYPE),
-                Scopes.of(this, ref),
+                Scopes.of(ref),
                 authProvider);
         logResponse(response);
         handleError(response);
@@ -336,7 +336,7 @@ public Index pushIndex(ContainerRef containerRef, Index index) {
                 uri,
                 indexData,
                 Map.of(Const.CONTENT_TYPE_HEADER, Const.DEFAULT_INDEX_MEDIA_TYPE),
-                Scopes.of(this, ref),
+                Scopes.of(ref),
                 authProvider);
         logResponse(response);
         handleError(response);
@@ -354,7 +354,7 @@ public void deleteBlob(ContainerRef containerRef) {
             return;
         }
         URI uri = URI.create("%s://%s".formatted(getScheme(), ref.getBlobsPath(this)));
-        HttpClient.ResponseWrapper<String> response = client.delete(uri, Map.of(), Scopes.of(this, ref), authProvider);
+        HttpClient.ResponseWrapper<String> response = client.delete(uri, Map.of(), Scopes.of(ref), authProvider);
         logResponse(response);
         handleError(response);
     }
@@ -475,7 +475,7 @@ public Layer pushBlob(ContainerRef containerRef, Path blob, Map<String, String>
                 uri,
                 Map.of(Const.CONTENT_TYPE_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
                 blob,
-                Scopes.of(this, ref),
+                Scopes.of(ref),
                 authProvider);
         logResponse(response);
 
@@ -501,7 +501,7 @@ public Layer pushBlob(ContainerRef containerRef, Path blob, Map<String, String>
                     uploadURI,
                     Map.of(Const.CONTENT_TYPE_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
                     blob,
-                    Scopes.of(this, ref),
+                    Scopes.of(ref),
                     authProvider);
             if (response.statusCode() == 201) {
                 LOG.debug("Successful push: {}", response.response());
@@ -534,7 +534,7 @@ public Layer pushBlob(ContainerRef ref, long size, Supplier<InputStream> stream,
                 uri,
                 new byte[0],
                 Map.of(Const.CONTENT_TYPE_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
-                Scopes.of(this, containerRef),
+                Scopes.of(containerRef),
                 authProvider);
         logResponse(response);
         if (response.statusCode() != 202) {
@@ -554,7 +554,7 @@ public Layer pushBlob(ContainerRef ref, long size, Supplier<InputStream> stream,
                 size,
                 Map.of(Const.CONTENT_TYPE_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
                 stream,
-                Scopes.of(this, containerRef),
+                Scopes.of(containerRef),
                 authProvider);
         logResponse(response);
         if (response.statusCode() == 201) {
@@ -586,7 +586,7 @@ public Layer pushBlob(ContainerRef containerRef, byte[] data) {
                 uri,
                 data,
                 Map.of(Const.CONTENT_TYPE_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
-                Scopes.of(this, ref),
+                Scopes.of(ref),
                 authProvider);
         logResponse(response);
 
@@ -611,7 +611,7 @@ public Layer pushBlob(ContainerRef containerRef, byte[] data) {
                     uploadURI,
                     data,
                     Map.of(Const.CONTENT_TYPE_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
-                    Scopes.of(this, ref),
+                    Scopes.of(ref),
                     authProvider);
             if (response.statusCode() == 201) {
                 LOG.debug("Successful push: {}", response.response());
@@ -643,7 +643,7 @@ private HttpClient.ResponseWrapper<String> headBlob(ContainerRef containerRef) {
         HttpClient.ResponseWrapper<String> response = client.head(
                 uri,
                 Map.of(Const.ACCEPT_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
-                Scopes.of(this, containerRef),
+                Scopes.of(containerRef),
                 authProvider);
         logResponse(response);
         return response;
@@ -664,7 +664,7 @@ public byte[] getBlob(ContainerRef containerRef) {
         HttpClient.ResponseWrapper<String> response = client.get(
                 uri,
                 Map.of(Const.ACCEPT_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
-                Scopes.of(this, ref),
+                Scopes.of(ref),
                 authProvider);
         logResponse(response);
         handleError(response);
@@ -685,7 +685,7 @@ public void fetchBlob(ContainerRef containerRef, Path path) {
                 uri,
                 Map.of(Const.ACCEPT_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
                 path,
-                Scopes.of(this, ref),
+                Scopes.of(ref),
                 authProvider);
         logResponse(response);
         handleError(response);
@@ -702,7 +702,7 @@ public InputStream fetchBlob(ContainerRef containerRef) {
         HttpClient.ResponseWrapper<InputStream> response = client.download(
                 uri,
                 Map.of(Const.ACCEPT_HEADER, Const.APPLICATION_OCTET_STREAM_HEADER_VALUE),
-                Scopes.of(this, ref),
+                Scopes.of(ref),
                 authProvider);
         logResponse(response);
         handleError(response);
@@ -810,8 +810,8 @@ boolean exists(ContainerRef containerRef) {
             return asInsecure().exists(containerRef);
         }
         URI uri = URI.create("%s://%s".formatted(getScheme(), ref.getManifestsPath(this)));
-        HttpClient.ResponseWrapper<String> response = client.head(
-                uri, Map.of(Const.ACCEPT_HEADER, Const.MANIFEST_ACCEPT_TYPE), Scopes.of(this, ref), authProvider);
+        HttpClient.ResponseWrapper<String> response =
+                client.head(uri, Map.of(Const.ACCEPT_HEADER, Const.MANIFEST_ACCEPT_TYPE), Scopes.of(ref), authProvider);
         logResponse(response);
         return response.statusCode() == 200;
     }
@@ -827,11 +827,11 @@ private HttpClient.ResponseWrapper<String> getManifestResponse(ContainerRef cont
             return asInsecure().getManifestResponse(containerRef);
         }
         URI uri = URI.create("%s://%s".formatted(getScheme(), ref.getManifestsPath(this)));
-        HttpClient.ResponseWrapper<String> response = client.head(
-                uri, Map.of(Const.ACCEPT_HEADER, Const.MANIFEST_ACCEPT_TYPE), Scopes.of(this, ref), authProvider);
+        HttpClient.ResponseWrapper<String> response =
+                client.head(uri, Map.of(Const.ACCEPT_HEADER, Const.MANIFEST_ACCEPT_TYPE), Scopes.of(ref), authProvider);
         logResponse(response);
         handleError(response);
-        return client.get(uri, Map.of("Accept", Const.MANIFEST_ACCEPT_TYPE), Scopes.of(this, ref), authProvider);
+        return client.get(uri, Map.of("Accept", Const.MANIFEST_ACCEPT_TYPE), Scopes.of(ref), authProvider);
     }
 
     private void validateDockerContentDigest(HttpClient.ResponseWrapper<String> response, byte[] data) {
@@ -981,8 +981,8 @@ ResolvedRegistry getResolvedHeaders(ContainerRef containerRef) {
         ContainerRef ref = containerRef.forRegistry(this);
         URI uri = URI.create(
                 "%s://%s".formatted(getScheme(), ref.forRegistry(this).getManifestsPath(this)));
-        HttpClient.ResponseWrapper<String> response = client.head(
-                uri, Map.of(Const.ACCEPT_HEADER, Const.MANIFEST_ACCEPT_TYPE), Scopes.of(this, ref), authProvider);
+        HttpClient.ResponseWrapper<String> response =
+                client.head(uri, Map.of(Const.ACCEPT_HEADER, Const.MANIFEST_ACCEPT_TYPE), Scopes.of(ref), authProvider);
         logResponse(response);
         handleError(response);
         return new ResolvedRegistry(ref.getRegistry(), response.headers());

src/main/java/land/oras/auth/HttpClient.java

@@ -406,7 +406,7 @@ public <T> TokenResponse refreshToken(
         String error = matcher.group(5);
 
         // Add server scope to existing scopes
-        Scopes newScopes = scopes.withNewScope(scope);
+        Scopes newScopes = scopes.withNewScope(scope).withService(service);
         LOG.debug("New scopes with server: {}", newScopes.getScopes());
 
         LOG.debug("WWW-Authenticate header: realm={}, service={}, scope={}, error={}", realm, service, scope, error);
@@ -437,7 +437,10 @@ public <T> TokenResponse refreshToken(
                                         ? "<redacted" // Replace value with ****
                                         : entry.getValue())));
 
-        return JsonUtils.fromJson(responseWrapper.response(), TokenResponse.class);
+        // Put in the cache
+        TokenResponse token = JsonUtils.fromJson(responseWrapper.response(), TokenResponse.class);
+        TokenCache.put(newScopes, token);
+        return token;
     }
 
     static boolean isSameOrigin(URI uri1, URI uri2) {
@@ -493,10 +496,23 @@ private <T> ResponseWrapper<T> executeRequest(
             LOG.debug("Existing scopes: {}", scopes.getScopes());
             LOG.debug("New scopes: {}", newScopes.getScopes());
 
-            // Add authentication header if any
+            // Check if token is present and reuse auth instead of passing auth provider
+            TokenResponse cachedToken = TokenCache.get(newScopes);
+            if (cachedToken == null) {
+                LOG.trace("No cached token found for scopes: {}", newScopes);
+            } else {
+                LOG.trace("Cached token for scopes: {}", newScopes);
+            }
+
+            // Add authentication header if any (from provider or cached token)
             var authHeader = authProvider.getAuthHeader(containerRef);
-            if (authHeader != null && !authProvider.getAuthScheme().equals(AuthScheme.NONE) && includeAuthHeader) {
+            if (cachedToken == null
+                    && authHeader != null
+                    && !authProvider.getAuthScheme().equals(AuthScheme.NONE)
+                    && includeAuthHeader) {
                 builder = builder.header(Const.AUTHORIZATION_HEADER, authHeader);
+            } else if (cachedToken != null && includeAuthHeader) {
+                builder = builder.header(Const.AUTHORIZATION_HEADER, "Bearer " + cachedToken.getEffectiveToken());
             }
             headers.forEach(builder::header);
 
@@ -667,6 +683,7 @@ public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngi
     /**
      * The token response
      * @param token The token
+     * @param service The service (not on response but on HTTP headers)
      * @param access_token The access token
      * @param expires_in The expires in
      * @param issued_at The issued at
@@ -675,8 +692,23 @@ public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngi
     public record TokenResponse(
             String token,
             @Nullable String access_token,
+            @Nullable String service,
             @Nullable Integer expires_in,
-            @Nullable ZonedDateTime issued_at) {}
+            @Nullable ZonedDateTime issued_at) {
+
+        /**
+         * Get the effective token
+         * @return The effective token, which is either the access_token or the token field depending on which one is present
+         */
+        public String getEffectiveToken() {
+            return access_token != null ? access_token : token;
+        }
+
+        @Override
+        public String toString() {
+            return "TokenResponse{" + "expires_in=" + expires_in + ", issued_at=" + issued_at + '}';
+        }
+    }
 
     /**
      * Builder for the HTTP client

src/main/java/land/oras/auth/ScopeUtils.java

@@ -59,7 +59,6 @@ public static List<String> appendRepositoryScope(
         }
         return cleanScopes(cleaned);
     }
-
     /**
      * Create a scope for a repository.
      * @param ref the container reference