diff --git a/internal/grpc/interceptors/auth/auth.go b/internal/grpc/interceptors/auth/auth.go
index c5037d7fb5a..8b19d17d187 100644
--- a/internal/grpc/interceptors/auth/auth.go
+++ b/internal/grpc/interceptors/auth/auth.go
@@ -271,7 +271,7 @@ func dismantleToken(ctx context.Context, tkn string, req interface{}, mgr token.
 		}
 	}
 
-	return nil, err
+	return nil, errtypes.PermissionDenied("access token has invalid scope")
 }
 
 func extractRef(req interface{}) (*provider.Reference, bool) {
diff --git a/internal/grpc/services/gateway/storageprovider.go b/internal/grpc/services/gateway/storageprovider.go
index ca1c90f79ea..da7bf820c02 100644
--- a/internal/grpc/services/gateway/storageprovider.go
+++ b/internal/grpc/services/gateway/storageprovider.go
@@ -1698,7 +1698,10 @@ func (s *svc) getPath(ctx context.Context, ref *provider.Reference, keys ...stri
 		return res.Info.Ref.Path, res.Status
 	}
 
-	return ref.Path, &rpc.Status{Code: rpc.Code_CODE_OK}
+	if ref.Path != "" {
+		return ref.Path, &rpc.Status{Code: rpc.Code_CODE_OK}
+	}
+	return "", &rpc.Status{Code: rpc.Code_CODE_INTERNAL}
 }
 
 // /home/MyShares/
@@ -1920,7 +1923,7 @@ func (s *svc) findProviders(ctx context.Context, ref *provider.Reference) ([]*re
 	})
 
 	if err != nil {
-		return nil, errors.Wrap(err, "gateway: error calling GetStorageProvider")
+		return nil, errors.Wrap(err, "gateway: error calling GetStorageProviders")
 	}
 
 	if res.Status.Code != rpc.Code_CODE_OK {
diff --git a/internal/http/services/owncloud/ocdav/publicfile.go b/internal/http/services/owncloud/ocdav/publicfile.go
index df04a1d71c5..79547090fa0 100644
--- a/internal/http/services/owncloud/ocdav/publicfile.go
+++ b/internal/http/services/owncloud/ocdav/publicfile.go
@@ -166,7 +166,7 @@ func (s *svc) handlePropfindOnToken(w http.ResponseWriter, r *http.Request, ns s
 
 	// find actual file name
 	pathRes, err := client.GetPath(ctx, &provider.GetPathRequest{
-		Ref: tokenStatInfo.GetRef(),
+		Ref: tokenStatInfo.GetId(),
 	})
 	if err != nil {
 		sublog.Warn().Msg("Could not get path of resource")
diff --git a/pkg/auth/scope/publicshare.go b/pkg/auth/scope/publicshare.go
index 8819ea99822..d92cdf29dca 100644
--- a/pkg/auth/scope/publicshare.go
+++ b/pkg/auth/scope/publicshare.go
@@ -71,9 +71,10 @@ func publicshareScope(scope *authpb.Scope, resource interface{}) (bool, error) {
 
 func checkStorageRef(s *link.PublicShare, r *provider.Reference) bool {
 	// ref: <id:<storage_id:$storageID opaque_id:$opaqueID > >
-	if r != nil {
+	if r.StorageId != "" || r.NodeId != "" {
 		return s.Ref.StorageId == r.StorageId && s.Ref.NodeId == r.NodeId
 	}
+
 	// ref: <path:"/public/$token" >
 	if strings.HasPrefix(r.GetPath(), "/public/"+s.Token) {
 		return true