diff --git a/imagegw/shifter_imagegw/dockerv2.py b/imagegw/shifter_imagegw/dockerv2.py
index ea7d2b9a..bd3b14fb 100755
--- a/imagegw/shifter_imagegw/dockerv2.py
+++ b/imagegw/shifter_imagegw/dockerv2.py
@@ -376,10 +376,12 @@ def do_token_auth(self, auth_loc_str, creds=False):
         # TODO, figure out what mode was for
         (_, auth_data_str) = auth_loc_str.split(' ', 2)
 
-        auth_data = {}
+        auth_data = {'service':'', 'scope':'pull'}
         for item in filter(None, re.split(r'(\w+=".*?"),', auth_data_str)):
-            (key, val) = item.split('=', 2)
+            (key, val) = item.split('=', 1)
             auth_data[key] = val.replace('"', '')
+            if '?scope=' in auth_data['realm']:
+                auth_data['realm'], auth_data['scope'] = auth_data['realm'].split('?scope=', 1)
 
         auth_conn = _setup_http_conn(auth_data['realm'], self.cacert)
         if auth_conn is None:
@@ -387,7 +389,11 @@ def do_token_auth(self, auth_loc_str, creds=False):
                              'failed to get auth connection')
 
         headers = {}
-        if creds and self.username is not None and self.password is not None:
+        if self.username=='$oauthtoken':
+            self.private = True
+            headers['Authorization'] = 'Bearer %s' % (self.password)
+        elif creds and self.username is not None and self.password is not None:
+
             self.private = True
             auth = '%s:%s' % (self.username, self.password)
             headers['Authorization'] = 'Basic %s' % base64.b64encode(auth)
@@ -404,11 +410,6 @@ def do_token_auth(self, auth_loc_str, creds=False):
 
         if resp.status != 200:
             raise ValueError('Bad response getting token: %d', resp.status)
-        # The json content type can include a extra bit defining the character set
-        # so we just check the beginning.  Worst case is the json.loads will throw
-        # an error just after this.
-        if not resp.getheader('content-type').startswith('application/json'):
-            raise ValueError('Invalid response getting token, not json')
 
         auth_resp = json.loads(resp.read())
         self.token = auth_resp['token']
@@ -541,10 +542,10 @@ def save_layer(self, layer):
             # If the redirect path includes a verify in the path
             # then we don't need the header.  If try to use the
             # header, we may get back a 400.
-            if path.find('verify') > 0:
-                conn.request("GET", path, None, {})
-            else:
-                conn.request("GET", path, None, self.headers)
+            headers = self.headers
+            if path.find('verify') > 0 or path.find('X-Amz-Algorithm') > 0:
+                headers = {}
+            conn.request("GET", path, None, headers)
             resp1 = conn.getresponse()
             location = resp1.getheader('location')
             if resp1.status == 200: