diff -urN flatpak-1.6.2/common/flatpak-oci-registry.c flatpak-1.6.2.new/common/flatpak-oci-registry.c
--- flatpak-1.6.2/common/flatpak-oci-registry.c	2019-12-20 09:52:17.000000000 +0000
+++ flatpak-1.6.2.new/common/flatpak-oci-registry.c	2020-03-20 12:01:39.923000000 +0000
@@ -901,6 +901,7 @@
 
 static char *
 get_token_for_www_auth (FlatpakOciRegistry *self,
+                        const char    *repository,
                         const char    *www_authenticate,
                         const char    *auth,
                         GCancellable  *cancellable,
@@ -911,6 +912,7 @@
   g_autoptr(GHashTable) params = NULL;
   g_autoptr(GHashTable) args = NULL;
   const char *realm, *service, *scope, *token;
+  g_autofree char *default_scope = NULL;
   g_autoptr(SoupURI) auth_uri = NULL;
   g_autoptr(GBytes) body = NULL;
   g_autoptr(JsonNode) json = NULL;
@@ -941,16 +943,21 @@
   service = g_hash_table_lookup (params, "service");
   if (service)
     g_hash_table_insert (args, "service", (char *)service);
+
   scope = g_hash_table_lookup (params, "scope");
-  if (scope)
-    g_hash_table_insert (args, "scope", (char *)scope);
+  if (scope == NULL)
+    scope = default_scope = g_strdup_printf("repository:%s:pull", repository);
+  g_hash_table_insert (args, "scope", (char *)scope);
 
   soup_uri_set_query_from_form (auth_uri, args);
 
   auth_msg = soup_message_new_from_uri ("GET", auth_uri);
 
-  g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth);
-  soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth);
+  if (auth)
+    {
+      g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth);
+      soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth);
+    }
 
   auth_stream = soup_session_send (self->soup_session, auth_msg, NULL, error);
   if (auth_stream == NULL)
@@ -1030,7 +1037,7 @@
       return NULL;
     }
 
-  token = get_token_for_www_auth (self, www_authenticate, basic_auth, cancellable, error);
+  token = get_token_for_www_auth (self, repository, www_authenticate, basic_auth, cancellable, error);
   if (token == NULL)
     return NULL;
 
diff -urN flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c
--- flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c	2019-12-19 09:33:40.000000000 +0000
+++ flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c	2020-03-20 12:01:39.936000000 +0000
@@ -428,10 +428,12 @@
   g_autoptr(GError) error = NULL;
   g_autoptr(AutoFlatpakAuthenticatorRequest) request = NULL;
   const char *auth = NULL;
+  gboolean have_auth;
   const char *oci_registry_uri = NULL;
   gsize n_refs, i;
   gboolean no_interaction = FALSE;
   g_autoptr(FlatpakOciRegistry) registry = NULL;
+  g_autofree char *first_token = NULL;
   GVariantBuilder tokens;
   GVariantBuilder results;
   g_autofree char *sender = g_strdup (g_dbus_method_invocation_get_sender (invocation));
@@ -439,6 +441,7 @@
   g_debug ("handling Authenticator.RequestRefTokens");
 
   g_variant_lookup (arg_authenticator_options, "auth", "&s", &auth);
+  have_auth = auth != NULL;
 
   if (!g_variant_lookup (arg_options, "xa.oci-registry-uri", "&s", &oci_registry_uri))
     {
@@ -476,18 +479,33 @@
     return error_request (request, sender, error->message);
 
 
-  if (auth == NULL)
+  /* Look up credentials in config files */
+  if (!have_auth)
     {
       g_debug ("Looking for %s in auth info", oci_registry_uri);
       auth = lookup_auth_from_config (oci_registry_uri);
+      have_auth = auth != NULL;
     }
 
+  /* Try to see if we can get a token without presenting credentials */
   n_refs = g_variant_n_children (arg_refs);
-  if (auth == NULL && n_refs > 0 &&
+  if (!have_auth && n_refs > 0)
+    {
+      g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0);
+
+      first_token = get_token_for_ref (registry, ref_data, NULL, &error);
+      if (first_token != NULL)
+        have_auth = TRUE;
+      else
+        g_clear_error (&error);
+    }
+
+  /* Prompt the user for credentials */
+  n_refs = g_variant_n_children (arg_refs);
+  if (!have_auth && n_refs > 0 &&
       !no_interaction)
     {
       g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0);
-      g_autofree char *token = NULL;
 
       while (auth == NULL)
         {
@@ -498,13 +516,21 @@
           if (test_auth == NULL)
             return cancel_request (request, sender);
 
-          token = get_token_for_ref (registry, ref_data, test_auth, &error);
-          if (token != NULL)
-            auth = g_steal_pointer (&test_auth);
+          first_token = get_token_for_ref (registry, ref_data, test_auth, &error);
+          if (first_token != NULL)
+            {
+              auth = g_steal_pointer (&test_auth);
+              have_auth = TRUE;
+            }
+          else
+            {
+              g_debug ("Failed to get token: %s", error->message);
+              g_clear_error (&error);
+            }
         }
     }
 
-  if (auth == NULL)
+  if (!have_auth)
     return error_request (request, sender, "No authentication information available");
 
   g_variant_builder_init (&tokens, G_VARIANT_TYPE ("a{sas}"));
@@ -515,9 +541,16 @@
       char *for_refs_strv[2] = { NULL, NULL};
       g_autofree char *token = NULL;
 
-      token = get_token_for_ref (registry, ref_data, auth, &error);
-      if (token == NULL)
-        return error_request (request, sender, error->message);
+      if (i == 0 && first_token != NULL)
+        {
+          token = g_steal_pointer (&first_token);
+        }
+      else
+        {
+          token = get_token_for_ref (registry, ref_data, auth, &error);
+          if (token == NULL)
+            return error_request (request, sender, error->message);
+        }
 
       g_variant_get_child (ref_data, 0, "&s", &for_refs_strv[0]);
       g_variant_builder_add (&tokens, "{s^as}", token, for_refs_strv);