Fix bearer token invalidation bug by calling AddResponses() twice on 401 errors

fs/remote/resolver.go

@@ -258,7 +258,23 @@ func (tr *transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	if resp.StatusCode == http.StatusUnauthorized {
 		log.G(ctx).Infof("Received status code: %v. Refreshing creds...", resp.Status)
 
-		// prepare authorization for the target host using docker.Authorizer
+		// Prepare authorization for the target host using docker.Authorizer.
+		// The docker authorizer only refreshes OAuth tokens after two
+		// successive 401 errors for the same URL. Rather than issue the same
+		// request multiple times to tickle the token-refreshing logic, just
+		// provide the same response twice to trick it into refreshing the
+		// cached OAuth token. Call AddResponses() twice, first to invalidate
+		// the existing token (with two responses), second to fetch a new one
+		// (with one response).
+		// TODO: fix after one of these two PRs are merged and available:
+		//     https://github.com/containerd/containerd/pull/8735
+		//     https://github.com/containerd/containerd/pull/8388
+		if err := tr.auth.AddResponses(ctx, []*http.Response{resp, resp}); err != nil {
+			if errdefs.IsNotImplemented(err) {
+				return resp, nil
+			}
+			return nil, err
+		}
 		if err := tr.auth.AddResponses(ctx, []*http.Response{resp}); err != nil {
 			if errdefs.IsNotImplemented(err) {
 				return resp, nil