diff --git a/proxy/pkg/middleware/authentication.go b/proxy/pkg/middleware/authentication.go
index ebc053510a..16a0f5d3c6 100644
--- a/proxy/pkg/middleware/authentication.go
+++ b/proxy/pkg/middleware/authentication.go
@@ -9,6 +9,11 @@ import (
 
 var SupportedAuthStrategies []string
 
+// ProxyWwwAuthenticate is a list of endpoints that do not rely on reva underlying authentication, such as ocs.
+// services that fallback to reva authentication are declared in the "frontend" command on OCIS.
+// TODO this should be a regexp, or it can be confused with routes that contain "/ocs" somewhere along the URI
+var ProxyWwwAuthenticate = []string{"ocs"}
+
 type statusRecorder struct {
 	http.ResponseWriter
 	status int
diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go
index 48055f5574..cd20cf0b67 100644
--- a/proxy/pkg/middleware/basic_auth.go
+++ b/proxy/pkg/middleware/basic_auth.go
@@ -35,7 +35,11 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 					// if we want to prevent duplicated Www-Authenticate headers coming from Reva consider using w.Header().Del("Www-Authenticate")
 					// but this will require the proxy being aware of endpoints which authentication fallback to Reva.
 					if !h.isPublicLink(req) {
-						w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Basic", req.Host))
+						for i := 0; i < len(ProxyWwwAuthenticate); i++ {
+							if strings.Contains(req.RequestURI, fmt.Sprintf("/%v/", ProxyWwwAuthenticate[i])) {
+								w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Basic", req.Host))
+							}
+						}
 					}
 					next.ServeHTTP(w, req)
 					return
@@ -43,7 +47,11 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 
 				account, ok := h.getAccount(req)
 				if !ok {
-					w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Basic", req.Host))
+					for i := 0; i < len(ProxyWwwAuthenticate); i++ {
+						if strings.Contains(req.RequestURI, fmt.Sprintf("/%v/", ProxyWwwAuthenticate[i])) {
+							w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Basic", req.Host))
+						}
+					}
 					w.WriteHeader(http.StatusUnauthorized)
 					return
 				}
diff --git a/proxy/pkg/middleware/oidc_auth.go b/proxy/pkg/middleware/oidc_auth.go
index 112a86f581..73b46cc0e6 100644
--- a/proxy/pkg/middleware/oidc_auth.go
+++ b/proxy/pkg/middleware/oidc_auth.go
@@ -47,7 +47,12 @@ func OIDCAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 				// this means that requests such as:
 				// curl -v -k -u admin:admin -H "depth: 0" -X PROPFIND https://localhost:9200/remote.php/dav/files | xmllint --format -
 				// even when succeeding, will contain a Www-Authenticate header.
-				w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Bearer", req.Host))
+
+				for i := 0; i < len(ProxyWwwAuthenticate); i++ {
+					if strings.Contains(req.RequestURI, fmt.Sprintf("/%v/", ProxyWwwAuthenticate[i])) {
+						w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Bearer", req.Host))
+					}
+				}
 				next.ServeHTTP(w, req)
 				return
 			}