Unable to Authenticate Harbor REST API with Asgardeo OIDC

[Shehan-lakshitha]

We are developing a service to automate user management for projects using the Harbor 2.9.0 REST API. Specifically, we need to add users to projects programmatically. However, we are encountering authentication challenges when Harbor is configured with Asgardeo as the OIDC provider.

Attempts & Issues

• Using Robot Accounts
  - Initially, we attempted to authenticate using robot accounts.
  - Unfortunately, robot accounts lack the necessary permissions to add users to projects.
  - This results in a 403 Forbidden error when attempting to perform user management operations.
• Using ID Token from an Admin User
  - As an alternative, we followed an approach similar to API token generation when using OIDC authentication #10597 (comment), where we attempted to use the ID token obtained from an admin user.
  - However, this approach also fails, returning the following error response from the API:

{
  "errors": [
    {
      "code": "UNAUTHORIZED",
      "message": "unauthorized"
    }
  ]
}

Expected Behavior

We expect to successfully authenticate Harbor REST APIs to add users to projects.
I've seen several issues on this matter, but there is no proper workaround to fix.

[wy65701436]

Regarding Attempt 1, you can upgrade Harbor to v2.11 or later, as these versions support assigning user management scope to a robot account.