Push or pull on ghcr package results in error when authenticating with an oauth app

This is a strange one that maybe someone has experienced before.

When I generated a PAT with the following scopes: repo read:packages write:packages delete:packages and use that PAT in docker login ghcr.io -u logikaljay I am able to push and pull packages without any problems.

When I use the OAuth app with either device flow or auth code flow, with the same scopes, I get the following errors.
On push:

$ docker push ghcr.io/logikaljay/test-fn:latest
The push refers to repository [ghcr.io/logikaljay/test-fn]
82c238761b57: Retrying in 1 second 
1049296cf531: Retrying in 1 second 
c3c26b644eb6: Retrying in 1 second 
c69b14870e0e: Retrying in 1 second 
999e8d6972a7: Retrying in 1 second 
...
77cae8ab23bf: Waiting 
unauthorized

On pull:

$ docker pull ghcr.io/logikaljay/test-fn:latest
Error response from daemon: pull access denied for ghcr.io/logikaljay/test-fn, repository does not exist or may require 'docker login': denied: permission_denied: The token provided does not match expected scopes.

After authenticating with device flow, the response from https://github.com/login/oauth/access_token is (access_token obfuscated):

{
  access_token: '***',
  token_type: 'bearer',
  scope: 'delete:packages,read:packages,repo,write:packages'
}

Has anyone had any luck trying to push a docker image to ghcr using an OAuth app based access_token instead of a manually generated PAT ?

For other people that may find this topic due to keyword searches, I believe it is answered in another topic:

1 Like