diff --git a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java
index 5d7974c..5cb5778 100644
--- a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java
+++ b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java
@@ -113,9 +113,11 @@ public class SmartGearsPortalValve extends ValveBase {
             umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session);
         }
         if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) {
+            boolean scopeIsChanged = false;
             if (umaToken == null) {
                 _log.debug("UMA token is null. Getting new one...");
             } else {
+                scopeIsChanged = true;
                 _log.info("UMA token has been issued for another scope (" + umaToken.getAud()
                         + "). Getting new one for scope: " + urlEncodedScope);
             }
@@ -141,8 +143,12 @@ public class SmartGearsPortalValve extends ValveBase {
             }
             OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request);
             try {
-                if (authToken.isExpired()) {
-                    _log.debug("OIDC token is expired, refreshing it");
+                if (scopeIsChanged || authToken.isExpired()) {
+                    if (scopeIsChanged) {
+                        _log.info("Scope is changed, refreshing token to be sure that new grants are present");
+                    } else {
+                        _log.debug("OIDC token is expired, refreshing it");
+                    }
                     try {
                         authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), authToken);
                     } catch (Exception e) {
@@ -155,8 +161,8 @@ public class SmartGearsPortalValve extends ValveBase {
                     JWTTokenUtil.putOIDCInSession(authToken, session);
                 }
                 _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope);
-                umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), authToken.getAsBearer(),
-                        urlEncodedScope, null);
+                umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(),
+                        authToken.getAccessTokenAsBearer(), urlEncodedScope, null);
             } catch (Exception e) {
                 _log.error("Getting UMA token from server", e);
                 return;