diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index 2a92627cb1b..9bf1ddbba21 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -8,8 +8,9 @@ class JwtController < ApplicationController
 
   def auth
     @authenticated = authenticate_with_http_basic do |login, password|
-      @ci_project = ci_project(login, password)
-      @user = authenticate_user(login, password) unless @ci_project
+      # if it's possible we first try to authenticate project with login and password
+      @project = authenticate_project(login, password)
+      @user = authenticate_user(login, password) unless @project
     end
 
     unless @authenticated
@@ -19,7 +20,7 @@ class JwtController < ApplicationController
     service = SERVICES[params[:service]]
     head :not_found unless service
 
-    result = service.new(@ci_project, @user, auth_params).execute
+    result = service.new(@project, @user, auth_params).execute
     return head result[:http_status] if result[:http_status]
 
     render json: result
@@ -31,7 +32,7 @@ class JwtController < ApplicationController
     params.permit(:service, :scope, :offline_token, :account, :client_id)
   end
 
-  def ci_project(login, password)
+  def authenticate_project(login, password)
     matched_login = /(?<s>^[a-zA-Z]*-ci)-token$/.match(login)
 
     if matched_login.present?
diff --git a/app/services/jwt/docker_authentication_service.rb b/app/services/jwt/docker_authentication_service.rb
index ce28085e5d6..fb0c41a12f7 100644
--- a/app/services/jwt/docker_authentication_service.rb
+++ b/app/services/jwt/docker_authentication_service.rb
@@ -5,12 +5,12 @@ module Jwt
         return error('forbidden', 403) unless current_user
       end
 
-      { token: token.encoded }
+      { token: authorized_token.encoded }
     end
 
     private
 
-    def token
+    def authorized_token
       token = ::Jwt::RSAToken.new(registry.key)
       token.issuer = registry.issuer
       token.audience = params[:service]
@@ -37,22 +37,22 @@ module Jwt
     end
 
     def process_repository_access(type, name, actions)
-      current_project = Project.find_with_namespace(name)
-      return unless current_project
+      requested_project = Project.find_with_namespace(name)
+      return unless requested_project
 
       actions = actions.select do |action|
-        can_access?(current_project, action)
+        can_access?(requested_project, action)
       end
 
       { type: type, name: name, actions: actions } if actions
     end
 
-    def can_access?(current_project, action)
-      case action
+    def can_access?(requested_project, requested_action)
+      case requested_action
       when 'pull'
-        current_project == project || can?(current_user, :download_code, current_project)
+        requested_project.public? || requested_project == project || can?(current_user, :download_code, requested_project)
       when 'push'
-        current_project == project || can?(current_user, :push_code, current_project)
+        requested_project == project || can?(current_user, :push_code, requested_project)
       else
         false
       end