docker login with impersonation token with scope `read_registry` fails

Summary

Logging in to the docker registry with an impersonation token that has the scope read_registry fails.

The impersonation token allows to set the scope read_registry so I'd expect this to work. Also from reading the docs, I'd conclude that this should work:

The docker registry authentication docs state:

To authenticate, you can use: A personal access token.

The impersonation docs state:

Impersonation tokens are a type of personal access token

Steps to reproduce

Create an impersonation token with scope read_registry for myuser.
Run docker login -u myuser -p <impersonation-token>

What is the current bug behavior?

docker login fails.

$ docker login docker.example.com -u deploy-user -p <impersonation-token>
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://docker.example.com/v2/: denied: access forbidden

What is the expected correct behavior?

The login should success as it does with a personal access token.

Relevant logs and/or screenshots

Works with a personal access token:

$ docker login docker.example.com -u myuser -p <personal access token>
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Results of GitLab environment info

Gitlab 13.6.2

Edited Jan 06, 2021 by Dirk