Setting robot_name_prefix to an empty string blocks OIDC users from logging in via client secret #22395
Description
If you are reporting a problem, please make sure the following information are provided:
Expected behavior and actual behavior:
Currently if the robot_name_prefix is set to an empty string the oidc_cli middleware assumes all users are robotaccounts:
https://github.com/goharbor/harbor/blob/main/src/server/middleware/security/oidc_cli.go#L62
This blocks OIDC users from logging in via docker cli using their client secret while robotaccounts and local users like admin still can log in.
There should be either a warning during startup or the check should return false on empty or null prefix.
Steps to reproduce the problem:
- set robot_name_prefix to empty string
- try to login with an oidc user via docker cli + cli secret
Versions:
Please specify the versions of following systems.
- harbor version: v2.13.2
- docker engine version: 28.4.0
- docker-compose version: -
Additional context:
- Harbor config files:
"auth_mode": "oidc_auth",
"oidc_auto_onboard": true,
"oidc_name": "Keycloak",
"oidc_endpoint": "https://keycloak.example.com/",
"oidc_client_id": "harbor",
"oidc_client_secret": "super_secret",
"oidc_groups_claim": "roles",
"oidc_admin_group": "admin",
"oidc_scope": "openid,email,profile,offline_access",
"oidc_user_claim": "email",
"robot_name_prefix": "",
"robot_token_duration": "365",
"project_creation_restriction": "adminonly",
"primary_auth_mode": false
- Log files: You can get them by package the
/var/log/harbor/.
2025-09-26T13:50:55Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /v2/
2025-09-26T13:50:55Z [DEBUG] [/server/middleware/log/log.go:36]: attach request id 15271d02a151c7ce20db4f828fb535e3 to the logger for the request GET /v2/
2025-09-26T13:50:55Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="15271d02a151c7ce20db4f828fb535e3"]: an unauthorized security context generated for request GET /v2/
2025-09-26T13:50:55Z [DEBUG] [/lib/http/error.go:63]: {"errors":[{"code":"UNAUTHORIZED","message":"unauthorized: unauthorized"}]}
2025-09-26T13:50:56Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:55]: In artifact info middleware, url: /service/token?account=michael.chittka%40inform-software.com&client_id=docker&offline_token=true&service=harbor-registry
2025-09-26T13:50:56Z [DEBUG] [/core/auth/authenticator.go:145]: Current AUTH_MODE is oidc_auth
2025-09-26T13:50:56Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="92.212.8.10" user agent="docker/28.4.0 go/go1.24.7 git-commit/249d679 kernel/6.6.87.2-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/28.4.0 \(linux\))"]: failed to authenticate user:[email protected], error:not supported
2025-09-26T13:50:56Z [DEBUG] [/server/middleware/log/log.go:36]: attach request id bade138bc57e424347a7a0bcfd942c4e to the logger for the request GET /service/token
2025-09-26T13:50:56Z [DEBUG] [/server/middleware/security/unauthorized.go:28][requestID="bade138bc57e424347a7a0bcfd942c4e"]: an unauthorized security context generated for request GET /service/token
2025-09-26T13:50:56Z [DEBUG] [/core/service/token/token.go:37]: URL for token request: /service/token?account=me%40example.com&client_id=docker&offline_token=true&service=harbor-registry
2025-09-26T13:50:56Z [DEBUG[] [/core/service/token/creator.go:201]: scopes: ]