diff --git a/CHANGELOG b/CHANGELOG
index 13b937b8c46562d80808d31ed61eb48b0307dc10..ef4d72a9e9b72c557d8fe68d76b9c6ff0d3b94be 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.8.1 (unreleased)
   - Fix MySQL compatibility in zero downtime migrations helpers
+  - Fix the CI login to Container Registry (the gitlab-ci-token user)
 
 v 8.8.0 (unreleased)
   - Implement GFM references for milestones (Alejandro Rodríguez)
diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index f5aa5397ff1c98e2e36a28f56704d703936b2c64..156ab2811d66401eb7a3dde917a0496f42fefc4f 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -36,7 +36,7 @@ class JwtController < ApplicationController
   end
 
   def authenticate_project(login, password)
-    if login == 'gitlab_ci_token'
+    if login == 'gitlab-ci-token'
       Project.find_by(builds_enabled: true, runners_token: password)
     end
   end
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index f807b8ec09ac29cf39fcc24552c9519d919fe0ef..2bbab643e6976134b869eab34d934d1e6b1d03c7 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -6,7 +6,7 @@ module Auth
       return error('not found', 404) unless registry.enabled
 
       if params[:offline_token]
-        return error('unauthorized', 401) unless current_user
+        return error('unauthorized', 401) unless current_user || project
       else
         return error('forbidden', 403) unless scope
       end
diff --git a/spec/requests/jwt_controller_spec.rb b/spec/requests/jwt_controller_spec.rb
index 7bb71365a48cc7a4162a9e6986ed68bbfa487193..d006ff195cf8a9970c2d5b74f90e896950193901 100644
--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -23,7 +23,7 @@ describe JwtController do
   context 'when using authorized request' do
     context 'using CI token' do
       let(:project) { create(:empty_project, runners_token: 'token', builds_enabled: builds_enabled) }
-      let(:headers) { { authorization: credentials('gitlab_ci_token', project.runners_token) } }
+      let(:headers) { { authorization: credentials('gitlab-ci-token', project.runners_token) } }
 
       subject! { get '/jwt/auth', parameters, headers }
 
diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb
index 73b8c3f048fc40c1c885be0a1f675232ec1a799b..3f4a1ced2b67c78deaeb02b2e5d403b19a5d045f 100644
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -127,12 +127,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
   context 'project authorization' do
     let(:current_project) { create(:empty_project) }
 
-    context 'disallow to use offline_token' do
+    context 'allow to use offline_token' do
       let(:current_params) do
         { offline_token: true }
       end
 
-      it_behaves_like 'an unauthorized'
+      it_behaves_like 'an authenticated'
     end
 
     context 'allow to pull and push images' do