@rhuss

The reason is probably that for the authentication still invaliduser is used

I do not think so. I believe the correct username is used, but the user is not authorized on the specific namespace; i.e authentication succeeds but authorization does not.

I suggest to not asked for the username here

I am not sure what you mean.
IMO we should ask for username. Imagine you want to push image into some orgnatization.

export FUNC_REGISTRY=docker.io/our-org

You still want to user your personal login (e.g. my-user-name) which belongs to the org, right?

However I agree the error messages could be better.

You could at least repeat the username or org for which authentication is done. And I don't think it's always about authorization, as the invalid user does not exist at Docker Hub, including much more context around the error. Of course, the user or orga could exist, too, so it's then about authorization. But still, it's then not an invalid credentials error, that clearly indicates an authentication error (it would be no access kind of message for authorization errors).

At least that error took me some hours to figure out that I had a typo in the env's repo name. Yes, there was a warning, but it fades out quickly.

And I don't think it's always about authorization, as the invalid user does not exist at Docker Hub

Yes, but I suspect that API would still return authorization error not 404, so I am not sure if we would be able to differentiate. Some APIs return authorization error even for non-existent entries for sake of security or something.

Again I agree the error should be better.

@gauron99 would you look into this?

Basically CheckAuth() have to return two distinct errors; authentication error and authorization error.

Some time ago the function was checking authentication, but then in #1130 we switched and the function directly checked authorization on given image.

The function should check authentication first, then authorization and return appropriate error if one of these fails.

The user should be then informed about what failed.

If you would work on this, @gauron99 , make sure it works against ghcr.io,docker.io,quay.io and gcr.io. Also please do not forget adding tests.

thanks Matej, will take a look

This also my required signature change of CredentialsCallback -- it might need additional parameter -- previous error.

I think the most important part is to add more context to the error message, like the image name for which you want to authenticate. Whether its an authorization, authentication or user-not-known error might be nice to have.