Wildcard Scope in JWT Auth Does Not Work as Expected
### Summary Caught in `401 Unauthorized` error when [deleting manifest in GitLab registry API](https://docs.docker.com/registry/spec/api/#delete-manifest). Deleting manifest require wildcard action scope (that is `repository:repo_name:*`) and the token generator at `gitlab.com/jwt/auth` does not correctly generate access payload for me. This is the partially decoded JWT payload from `gitlab.com/jwt/auth` and `auth.docker.io/token` for side-by-side comparison. - gitlab.com ```json { "access": [], "aud": "container_registry", "sub": "[REDACTED]", "iss": "omnibus-gitlab-issuer", ... } ``` - auth.docker.io ```json { "access": [ { "type": "repository", "name": "[REDACTED]", "actions": [ "*" ] } ], "aud": "registry.docker.io", "iss": "auth.docker.io", "[REDACTED]", ... } ``` As you can see, the generated JWT token from gitlab.com yield empty access object rather than repository access with wildcard actions (which is the expected generated token). ### Steps to reproduce Use curl or API tester to connect to `https://gitlab.com/jwt/auth?service=container_registry&scope=repository:<some_repo>:*` (use basic auth with user and pass from actual GitLab user) and use base64decode to dissassemble the JWT payload. ### Expected behavior ``` { "access": [ { "type": "repository", "name": "<some_repo>", "actions": [ "*" ] } ], "aud": "container_registry", "iss": "omnibus-gitlab-issuer", ... } ``` ### Actual behavior ``` { "access": [], "aud": "container_registry", "iss": "omnibus-gitlab-issuer", ... } ``` ### Output of checks This bug happens on GitLab.com
issue