diff --git a/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java b/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java
index 3bbbc60..9e6f2d0 100644
--- a/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java
+++ b/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java
@@ -33,6 +33,17 @@ public class DefaultKeycloakClient implements KeycloakClient {
 
     @Override
     public URL findTokenEndpointURL() throws KeycloakClientException {
+        logger.debug("Checking ScopeProvider's scope presence and format");
+        String originalScope = ScopeProvider.instance.get();
+        if (originalScope == null || !originalScope.startsWith("/") || originalScope.length() < 2) {
+            throw new KeycloakClientException(originalScope == null ? "Scope not found in ScopeProvider"
+                    : "Bad scope name found: " + originalScope);
+        }
+        logger.debug("Assuring use the rootVO to query the endpoint simple query. Actual scope is: {}", originalScope);
+        String rootVOScope = "/" + originalScope.split("/")[1];
+        logger.debug("Setting rootVO scope into provider as: {}", rootVOScope);
+        ScopeProvider.instance.set(rootVOScope);
+
         logger.debug("Creating simple query");
         SimpleQuery query = queryFor(ServiceEndpoint.class);
         query.addCondition(
@@ -46,6 +57,9 @@ public class DefaultKeycloakClient implements KeycloakClient {
         logger.trace("Submitting query: {}", query);
         List<AccessPoint> accessPoints = client.submit(query);
 
+        logger.debug("Restting scope into provider to the original value: {}", originalScope);
+        ScopeProvider.instance.set(originalScope);
+
         if (accessPoints.size() == 0) {
             throw new KeycloakClientException("Service endpoint not found");
         } else if (accessPoints.size() > 1) {
@@ -66,6 +80,7 @@ public class DefaultKeycloakClient implements KeycloakClient {
 
         return queryUMAToken(clientId, clientSecret, ScopeProvider.instance.get(), permissions);
     }
+
     @Override
     public TokenResponse queryUMAToken(String clientId, String clientSecret, String audience,
             List<String> permissions) throws KeycloakClientException {
@@ -86,6 +101,18 @@ public class DefaultKeycloakClient implements KeycloakClient {
     public TokenResponse queryUMAToken(URL tokenURL, String authorization, String audience,
             List<String> permissions) throws KeycloakClientException {
 
+        if (tokenURL == null) {
+            throw new KeycloakClientException("'tokenURL' parameter must be not null");
+        }
+
+        if (authorization == null || "".equals(authorization)) {
+            throw new KeycloakClientException("'authorization' parameter must be not null nor empty");
+        }
+
+        if (audience == null || "".equals(audience)) {
+            throw new KeycloakClientException("'audience' parameter must be not null nor empty");
+        }
+
         logger.debug("Querying token from Keycloak server with URL: {}", tokenURL);
 
         Map<String, List<String>> params = new HashMap<>();