Wildcard Scope in JWT Auth Does Not Work as Expected
### Summary
Caught in `401 Unauthorized` error when [deleting manifest in GitLab registry API](https://docs.docker.com/registry/spec/api/#delete-manifest). Deleting manifest require wildcard action scope (that is `repository:repo_name:*`) and the token generator at `gitlab.com/jwt/auth` does not correctly generate access payload for me. This is the partially decoded JWT payload from `gitlab.com/jwt/auth` and `auth.docker.io/token` for side-by-side comparison.
- gitlab.com
```json
{
"access": [],
"aud": "container_registry",
"sub": "[REDACTED]",
"iss": "omnibus-gitlab-issuer",
...
}
```
- auth.docker.io
```json
{
"access": [
{
"type": "repository",
"name": "[REDACTED]",
"actions": [
"*"
]
}
],
"aud": "registry.docker.io",
"iss": "auth.docker.io",
"[REDACTED]",
...
}
```
As you can see, the generated JWT token from gitlab.com yield empty access object rather than repository access with wildcard actions (which is the expected generated token).
### Steps to reproduce
Use curl or API tester to connect to `https://gitlab.com/jwt/auth?service=container_registry&scope=repository:<some_repo>:*` (use basic auth with user and pass from actual GitLab user) and use base64decode to dissassemble the JWT payload.
### Expected behavior
```
{
"access": [
{
"type": "repository",
"name": "<some_repo>",
"actions": [
"*"
]
}
],
"aud": "container_registry",
"iss": "omnibus-gitlab-issuer",
...
}
```
### Actual behavior
```
{
"access": [],
"aud": "container_registry",
"iss": "omnibus-gitlab-issuer",
...
}
```
### Output of checks
This bug happens on GitLab.com
issue