diff --git a/client/container_copy.go b/client/container_copy.go
index d706260cee..83504ac3ce 100644
--- a/client/container_copy.go
+++ b/client/container_copy.go
@@ -50,6 +50,7 @@ func (cli *Client) CopyToContainer(ctx context.Context, containerID, dstPath str
 	}
 	defer ensureReaderClosed(response)
 
+	// TODO this code converts non-error status-codes (e.g., "204 No Content") into an error; verify if this is the desired behavior
 	if response.statusCode != http.StatusOK {
 		return fmt.Errorf("unexpected status code from daemon: %d", response.statusCode)
 	}
@@ -69,6 +70,7 @@ func (cli *Client) CopyFromContainer(ctx context.Context, containerID, srcPath s
 		return nil, types.ContainerPathStat{}, wrapResponseError(err, response, "container:path", containerID+":"+srcPath)
 	}
 
+	// TODO this code converts non-error status-codes (e.g., "204 No Content") into an error; verify if this is the desired behavior
 	if response.statusCode != http.StatusOK {
 		return nil, types.ContainerPathStat{}, fmt.Errorf("unexpected status code from daemon: %d", response.statusCode)
 	}
diff --git a/client/container_copy_test.go b/client/container_copy_test.go
index a33ec5c27e..b0a4ad825c 100644
--- a/client/container_copy_test.go
+++ b/client/container_copy_test.go
@@ -121,6 +121,7 @@ func TestCopyToContainerNotFoundError(t *testing.T) {
 	}
 }
 
+// TODO TestCopyToContainerNotStatusOKError expects a non-error status-code ("204 No Content") to produce an error; verify if this is the desired behavior
 func TestCopyToContainerNotStatusOKError(t *testing.T) {
 	client := &Client{
 		client: newMockClient(errorMock(http.StatusNoContent, "No content")),
@@ -200,6 +201,7 @@ func TestCopyFromContainerNotFoundError(t *testing.T) {
 	}
 }
 
+// TODO TestCopyFromContainerNotStatusOKError expects a non-error status-code ("204 No Content") to produce an error; verify if this is the desired behavior
 func TestCopyFromContainerNotStatusOKError(t *testing.T) {
 	client := &Client{
 		client: newMockClient(errorMock(http.StatusNoContent, "No content")),
diff --git a/client/image_pull.go b/client/image_pull.go
index d97aacf8c5..a23975591b 100644
--- a/client/image_pull.go
+++ b/client/image_pull.go
@@ -3,12 +3,12 @@ package client // import "github.com/docker/docker/client"
 import (
 	"context"
 	"io"
-	"net/http"
 	"net/url"
 	"strings"
 
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/errdefs"
 )
 
 // ImagePull requests the docker host to pull an image from a remote registry.
@@ -35,7 +35,7 @@ func (cli *Client) ImagePull(ctx context.Context, refStr string, options types.I
 	}
 
 	resp, err := cli.tryImageCreate(ctx, query, options.RegistryAuth)
-	if resp.statusCode == http.StatusUnauthorized && options.PrivilegeFunc != nil {
+	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
 		newAuthHeader, privilegeErr := options.PrivilegeFunc()
 		if privilegeErr != nil {
 			return nil, privilegeErr
diff --git a/client/image_push.go b/client/image_push.go
index a15871c2b4..49d412ee37 100644
--- a/client/image_push.go
+++ b/client/image_push.go
@@ -4,11 +4,11 @@ import (
 	"context"
 	"errors"
 	"io"
-	"net/http"
 	"net/url"
 
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/errdefs"
 )
 
 // ImagePush requests the docker host to push an image to a remote registry.
@@ -36,7 +36,7 @@ func (cli *Client) ImagePush(ctx context.Context, image string, options types.Im
 	query.Set("tag", tag)
 
 	resp, err := cli.tryImagePush(ctx, name, query, options.RegistryAuth)
-	if resp.statusCode == http.StatusUnauthorized && options.PrivilegeFunc != nil {
+	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
 		newAuthHeader, privilegeErr := options.PrivilegeFunc()
 		if privilegeErr != nil {
 			return nil, privilegeErr
diff --git a/client/image_search.go b/client/image_search.go
index 176de3c582..bbdf9e153e 100644
--- a/client/image_search.go
+++ b/client/image_search.go
@@ -4,12 +4,12 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"net/http"
 	"net/url"
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/errdefs"
 )
 
 // ImageSearch makes the docker host to search by a term in a remote registry.
@@ -29,7 +29,7 @@ func (cli *Client) ImageSearch(ctx context.Context, term string, options types.I
 	}
 
 	resp, err := cli.tryImageSearch(ctx, query, options.RegistryAuth)
-	if resp.statusCode == http.StatusUnauthorized && options.PrivilegeFunc != nil {
+	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
 		newAuthHeader, privilegeErr := options.PrivilegeFunc()
 		if privilegeErr != nil {
 			return results, privilegeErr
diff --git a/client/login.go b/client/login.go
index 7d66181900..472edc9037 100644
--- a/client/login.go
+++ b/client/login.go
@@ -3,7 +3,6 @@ package client // import "github.com/docker/docker/client"
 import (
 	"context"
 	"encoding/json"
-	"net/http"
 	"net/url"
 
 	"github.com/docker/docker/api/types"
@@ -15,9 +14,6 @@ import (
 func (cli *Client) RegistryLogin(ctx context.Context, auth types.AuthConfig) (registry.AuthenticateOKBody, error) {
 	resp, err := cli.post(ctx, "/auth", url.Values{}, auth, nil)
 
-	if resp.statusCode == http.StatusUnauthorized {
-		return registry.AuthenticateOKBody{}, unauthorizedError{err}
-	}
 	if err != nil {
 		return registry.AuthenticateOKBody{}, err
 	}
diff --git a/client/plugin_install.go b/client/plugin_install.go
index 13baa40a9b..012afe61ca 100644
--- a/client/plugin_install.go
+++ b/client/plugin_install.go
@@ -4,11 +4,11 @@ import (
 	"context"
 	"encoding/json"
 	"io"
-	"net/http"
 	"net/url"
 
 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/errdefs"
 	"github.com/pkg/errors"
 )
 
@@ -78,7 +78,7 @@ func (cli *Client) tryPluginPull(ctx context.Context, query url.Values, privileg
 
 func (cli *Client) checkPluginPermissions(ctx context.Context, query url.Values, options types.PluginInstallOptions) (types.PluginPrivileges, error) {
 	resp, err := cli.tryPluginPrivileges(ctx, query, options.RegistryAuth)
-	if resp.statusCode == http.StatusUnauthorized && options.PrivilegeFunc != nil {
+	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
 		// todo: do inspect before to check existing name before checking privileges
 		newAuthHeader, privilegeErr := options.PrivilegeFunc()
 		if privilegeErr != nil {