oras-project
diff --git a/‎example_copy_test.go‎
Lines changed: 2 additions & 1 deletion b/‎example_copy_test.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎example_test.go‎
Lines changed: 5 additions & 5 deletions b/‎example_test.go‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎registry/remote/credentials/registry.go‎ ‎registry/remote/auth.go‎registry/remote/credentials/registry.go renamed to registry/remote/auth.go
Lines changed: 8 additions & 8 deletions b/‎registry/remote/credentials/registry.go‎ ‎registry/remote/auth.go‎registry/remote/credentials/registry.go renamed to registry/remote/auth.go
Lines changed: 8 additions & 8 deletions
diff --git a/‎registry/remote/auth/client.go‎
Lines changed: 7 additions & 29 deletions b/‎registry/remote/auth/client.go‎
Lines changed: 7 additions & 29 deletions
@@ -37,6 +37,7 @@ import (
 	"oras.land/oras-go/v2/internal/spec"
 	"oras.land/oras-go/v2/registry/remote"
 	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/credentials"
 	"oras.land/oras-go/v2/registry/remote/retry"
 )
 
@@ -451,7 +452,7 @@ func Example_extendedCopyArtifactAndReferrersToRepository() {
 	repo.Client = &auth.Client{
 		Client: retry.DefaultClient,
 		Cache:  auth.NewCache(),
-		Credential: auth.StaticCredential(registry, auth.Credential{
+		Credential: credentials.StaticCredential(registry, credentials.Credential{
 			Username: "username",
 			Password: "password",
 		}),
 
@@ -50,7 +50,7 @@ func Example_pullFilesFromRemoteRepository() {
 	repo.Client = &auth.Client{
 		Client: retry.DefaultClient,
 		Cache:  auth.NewCache(),
-		Credential: auth.StaticCredential(reg, auth.Credential{
+		Credential: credentials.StaticCredential(reg, credentials.Credential{
 			Username: "username",
 			Password: "password",
 		}),
@@ -85,7 +85,7 @@ func Example_pullImageFromRemoteRepository() {
 	repo.Client = &auth.Client{
 		Client: retry.DefaultClient,
 		Cache:  auth.NewCache(),
-		Credential: auth.StaticCredential(reg, auth.Credential{
+		Credential: credentials.StaticCredential(reg, credentials.Credential{
 			Username: "username",
 			Password: "password",
 		}),
@@ -127,7 +127,7 @@ func Example_pullImageUsingDockerCredentials() {
 	repo.Client = &auth.Client{
 		Client:     retry.DefaultClient,
 		Cache:      auth.NewCache(),
-		Credential: credentials.Credential(credStore), // Use the credentials store
+		Credential: remote.Credential(credStore), // Use the credentials store
 	}
 
 	// 2. Copy from the remote repository to the OCI layout store
@@ -190,7 +190,7 @@ func Example_pushFilesToRemoteRepository() {
 	repo.Client = &auth.Client{
 		Client: retry.DefaultClient,
 		Cache:  auth.NewCache(),
-		Credential: auth.StaticCredential(reg, auth.Credential{
+		Credential: credentials.StaticCredential(reg, credentials.Credential{
 			Username: "username",
 			Password: "password",
 		}),
@@ -218,7 +218,7 @@ func Example_attachBlobToRemoteRepository() {
 	repo.Client = &auth.Client{
 		Client: retry.DefaultClient,
 		Cache:  auth.NewCache(),
-		Credential: auth.StaticCredential(registry, auth.Credential{
+		Credential: credentials.StaticCredential(registry, credentials.Credential{
 			Username: "username",
 			Password: "password",
 		}),
 
@@ -13,15 +13,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package credentials
+package remote
 
 import (
 	"context"
 	"errors"
 	"fmt"
 
-	"oras.land/oras-go/v2/registry/remote"
 	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/credentials"
 )
 
 // ErrClientTypeUnsupported is thrown by Login() when the registry's client type
@@ -32,7 +32,7 @@ var ErrClientTypeUnsupported = errors.New("client type not supported")
 // registry's client should be nil or of type *auth.Client. Login uses
 // a client local to the function and will not modify the original client of
 // the registry.
-func Login(ctx context.Context, store Store, reg *remote.Registry, cred auth.Credential) error {
+func Login(ctx context.Context, store credentials.Store, reg *Registry, cred credentials.Credential) error {
 	// create a clone of the original registry for login purpose
 	regClone := *reg
 	// we use the original client if applicable, otherwise use a default client
@@ -47,7 +47,7 @@ func Login(ctx context.Context, store Store, reg *remote.Registry, cred auth.Cre
 	}
 	regClone.Client = &authClient
 	// update credentials with the client
-	authClient.Credential = auth.StaticCredential(reg.Reference.Registry, cred)
+	authClient.Credential = credentials.StaticCredential(reg.Reference.Registry, cred)
 	// validate and store the credential
 	if err := regClone.Ping(ctx); err != nil {
 		return fmt.Errorf("failed to validate the credentials for %s: %w", regClone.Reference.Registry, err)
@@ -60,7 +60,7 @@ func Login(ctx context.Context, store Store, reg *remote.Registry, cred auth.Cre
 }
 
 // Logout provides the logout functionality given the registry name.
-func Logout(ctx context.Context, store Store, registryName string) error {
+func Logout(ctx context.Context, store credentials.Store, registryName string) error {
 	registryName = ServerAddressFromRegistry(registryName)
 	if err := store.Delete(ctx, registryName); err != nil {
 		return fmt.Errorf("failed to delete the credential for %s: %w", registryName, err)
@@ -69,11 +69,11 @@ func Logout(ctx context.Context, store Store, registryName string) error {
 }
 
 // Credential returns a Credential() function that can be used by auth.Client.
-func Credential(store Store) auth.CredentialFunc {
-	return func(ctx context.Context, hostport string) (auth.Credential, error) {
+func Credential(store credentials.Store) credentials.CredentialFunc {
+	return func(ctx context.Context, hostport string) (credentials.Credential, error) {
 		hostport = ServerAddressFromHostname(hostport)
 		if hostport == "" {
-			return auth.EmptyCredential, nil
+			return credentials.EmptyCredential, nil
 		}
 		return store.Get(ctx, hostport)
 	}
 
@@ -27,6 +27,7 @@ import (
 	"net/url"
 	"strings"
 
+	"oras.land/oras-go/v2/registry/remote/credentials"
 	"oras.land/oras-go/v2/registry/remote/internal/errutil"
 	"oras.land/oras-go/v2/registry/remote/retry"
 )
@@ -58,29 +59,6 @@ var maxResponseBytes int64 = 128 * 1024 // 128 KiB
 // See also ClientID.
 var defaultClientID = "oras-go"
 
-// CredentialFunc represents a function that resolves the credential for the
-// given registry (i.e. host:port).
-//
-// [EmptyCredential] is a valid return value and should not be considered as
-// an error.
-type CredentialFunc func(ctx context.Context, hostport string) (Credential, error)
-
-// StaticCredential specifies static credentials for the given host.
-func StaticCredential(registry string, cred Credential) CredentialFunc {
-	if registry == "docker.io" {
-		// it is expected that traffic targeting "docker.io" will be redirected
-		// to "registry-1.docker.io"
-		// reference: https://github.com/moby/moby/blob/v24.0.0-beta.2/registry/config.go#L25-L48
-		registry = "registry-1.docker.io"
-	}
-	return func(_ context.Context, hostport string) (Credential, error) {
-		if hostport == registry {
-			return cred, nil
-		}
-		return EmptyCredential, nil
-	}
-}
-
 // Client is an auth-decorated HTTP client.
 // Its zero value is a usable client that uses http.DefaultClient with no cache.
 type Client struct {
@@ -102,7 +80,7 @@ type Client struct {
 	// EmptyCredential is a valid return value and should not be considered as
 	// an error.
 	// If nil, the credential is always resolved to EmptyCredential.
-	Credential CredentialFunc
+	Credential credentials.CredentialFunc
 
 	// Cache caches credentials for direct accessing the remote registry.
 	// If nil, no cache is used.
@@ -140,9 +118,9 @@ func (c *Client) send(req *http.Request) (*http.Response, error) {
 }
 
 // credential resolves the credential for the given registry.
-func (c *Client) credential(ctx context.Context, reg string) (Credential, error) {
+func (c *Client) credential(ctx context.Context, reg string) (credentials.Credential, error) {
 	if c.Credential == nil {
-		return EmptyCredential, nil
+		return credentials.EmptyCredential, nil
 	}
 	return c.Credential(ctx, reg)
 }
@@ -283,7 +261,7 @@ func (c *Client) fetchBasicAuth(ctx context.Context, registry string) (string, e
 	if err != nil {
 		return "", fmt.Errorf("failed to resolve credential: %w", err)
 	}
-	if cred == EmptyCredential {
+	if cred == credentials.EmptyCredential {
 		return "", ErrBasicCredentialNotFound
 	}
 	if cred.Username == "" || cred.Password == "" {
@@ -302,7 +280,7 @@ func (c *Client) fetchBearerToken(ctx context.Context, registry, realm, service
 	if cred.AccessToken != "" {
 		return cred.AccessToken, nil
 	}
-	if cred == EmptyCredential || (cred.RefreshToken == "" && !c.ForceAttemptOAuth2) {
+	if cred == credentials.EmptyCredential || (cred.RefreshToken == "" && !c.ForceAttemptOAuth2) {
 		return c.fetchDistributionToken(ctx, realm, service, scopes, cred.Username, cred.Password)
 	}
 	return c.fetchOAuth2Token(ctx, realm, service, scopes, cred)
@@ -362,7 +340,7 @@ func (c *Client) fetchDistributionToken(ctx context.Context, realm, service stri
 
 // fetchOAuth2Token fetches an OAuth2 access token.
 // Reference: https://distribution.github.io/distribution/spec/auth/oauth/
-func (c *Client) fetchOAuth2Token(ctx context.Context, realm, service string, scopes []string, cred Credential) (string, error) {
+func (c *Client) fetchOAuth2Token(ctx context.Context, realm, service string, scopes []string, cred credentials.Credential) (string, error) {
 	form := url.Values{}
 	if cred.RefreshToken != "" {
 		form.Set("grant_type", "refresh_token")