From 321d47c90fc647d76bddaee01a18a9e8eaa80b6d Mon Sep 17 00:00:00 2001
From: Tonis Tiigi <tonistiigi@gmail.com>
Date: Tue, 11 Aug 2020 19:08:41 -0700
Subject: [PATCH] resolver: avoid retrying fatal error

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
---
 util/resolver/authorizer.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/util/resolver/authorizer.go b/util/resolver/authorizer.go
index 6cd6351a6b1a5..d63dded7945b9 100644
--- a/util/resolver/authorizer.go
+++ b/util/resolver/authorizer.go
@@ -148,7 +148,17 @@ func (a *dockerAuthorizer) AddResponses(ctx context.Context, responses []*http.R
 		if c.Scheme == auth.BearerAuth {
 			if err := invalidAuthorization(c, responses); err != nil {
 				a.handlers.delete(handler)
+
+				oldScope := ""
+				if handler != nil {
+					oldScope = strings.Join(handler.common.Scopes, " ")
+				}
 				handler = nil
+
+				// this hacky way seems to be best method to detect that error is fatal and should not be retried with a new token
+				if c.Parameters["error"] == "insufficient_scope" && c.Parameters["scope"] == oldScope {
+					return err
+				}
 			}
 
 			// reuse existing handler