diff --git a/pkg/api/authz.go b/pkg/api/authz.go
index 7b4abd30..77b4d956 100644
--- a/pkg/api/authz.go
+++ b/pkg/api/authz.go
@@ -279,6 +279,9 @@ func AuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 
 						return
 					}
+
+					// assign identity to authz context, needed for extensions
+					acCtx.Username = identity
 				}
 			}
 
diff --git a/pkg/api/controller_test.go b/pkg/api/controller_test.go
index 0eb97d48..c352291d 100644
--- a/pkg/api/controller_test.go
+++ b/pkg/api/controller_test.go
@@ -1370,11 +1370,22 @@ func TestMutualTLSAuthWithUserPermissions(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
 
+		resp, err = resty.R().Get(secureBaseURL + "/v2/_catalog")
+		So(err, ShouldBeNil)
+		So(resp, ShouldNotBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
 		// with creds, should get expected status code
 		resp, _ = resty.R().Get(secureBaseURL)
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusNotFound)
 
+		// reading a repo should not get 403
+		resp, err = resty.R().Get(secureBaseURL + "/v2/repo/tags/list")
+		So(err, ShouldBeNil)
+		So(resp, ShouldNotBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusNotFound)
+
 		// without creds, writes should fail
 		resp, err = resty.R().Post(secureBaseURL + "/v2/repo/blobs/uploads/")
 		So(err, ShouldBeNil)