Authorization / Authentication / Login

Important feature of every package registry is the authorization and authentication. This is needed to ensure only authorized users can publish and retrieve packages. Open SPM Registry supports different methods to authenticate against the registry.

No Auth

just for testing purposes or proxied through external auth provider

Add auth block to config.yml and set auth.enabled to false

  auth:
    enabled: false

now you can publish and retrieve packages without any authentication

Basic Auth

in case just basic security is needed, not recommended for public registries

Add auth block to config.yml and set auth.type to basic

  auth:
    type: basic
    users:
      - username: admin
        password: 937e8d5fbb48bd4949536cd65b8d35c426b80d2f830c5c308e2cdec422ae2244

Passwords are stored as sha256 hashes, therefore you need to hash your password before adding it to the config.

afterward you can login with

swift package-registry login --username [username] --password sha265([password])

Use OIDC provider

Add auth block to config.yml and set auth to the name of the provider e.g. Auth0

⚠️ Important currently only grant type password or code is supported.

  auth:
    name: auth0
    type: oidc
    grant_type: [password|code]
    issuer: (e.g. https://.....auth0.com/)
    client_id: ******
    client_secret: ******

Code (Authorization Code)

recommended for public auth providers eg. Auth0, Google, etc

in case of code grant type you need to set the redirect url in the provider to https://server:port/callback

Excecute

swift package-registry login https://server:port --token #####

with the code you get from the browser invoke: https://server:port/login

Password (Resource Owner Password Credentials)

not recommended for public auth providers, only in case provider should be hidden / not exposed to the users and trusted

In case of password grant type also go to https://server:port/login and enter your credentials

  • Be aware the password is transmitted in clear text (well base64 encoded) to this server
  • Therefor it is recommended to use https at least for the connection.
  • Login will be CSRF protected though

    DO NOT USE swift package-registry login https://server:port --username [username] --password [password] (it will not work)

once obtained token login similar to code grant type

swift package-registry login https://server:port --token #####