@@ -461,10 +461,11 @@ private <T> ResponseWrapper<T> executeRequest(
461461 LOG .debug ("New scopes: {}" , newScopes .getScopes ());
462462
463463 // Add authentication header if any
464- if (authProvider .getAuthHeader (containerRef ) != null
464+ var authHeader = authProvider .getAuthHeader (containerRef );
465+ if (authHeader != null
465466 && !authProvider .getAuthScheme ().equals (AuthScheme .NONE )
466467 && includeAuthHeader ) {
467- builder = builder .header (Const .AUTHORIZATION_HEADER , authProvider . getAuthHeader ( containerRef ) );
468+ builder = builder .header (Const .AUTHORIZATION_HEADER , authHeader );
468469 }
469470 headers .forEach (builder ::header );
470471
@@ -524,8 +525,16 @@ private <T> ResponseWrapper<T> redoRequest(
524525 token .expires_in (),
525526 token .issued_at ().plusSeconds (token .expires_in ()));
526527 }
528+ String bearerToken = token .token ();
529+ if (bearerToken == null ) {
530+ // Docker registry auth spec allows either token or auth_token (or both if they are the same)
531+ bearerToken = token .access_token ();
532+ }
533+ if (bearerToken == null ) {
534+ throw new OrasException ("No Bearer token received" );
535+ }
527536 try {
528- builder = builder .setHeader (Const .AUTHORIZATION_HEADER , "Bearer " + token . token () );
537+ builder = builder .setHeader (Const .AUTHORIZATION_HEADER , "Bearer " + bearerToken );
529538 HttpResponse <T > newResponse = client .send (builder .build (), handler );
530539
531540 // Follow redirect
0 commit comments