diff --git a/changelog/unreleased/account-roles-fix.md b/changelog/unreleased/account-roles-fix.md
new file mode 100644
index 0000000000..35dce3a1bd
--- /dev/null
+++ b/changelog/unreleased/account-roles-fix.md
@@ -0,0 +1,3 @@
+Bugfix: Check if roles are present in user object before looking those up
+
+https://github.com/owncloud/ocis/pull/1388
diff --git a/ocis-pkg/middleware/account.go b/ocis-pkg/middleware/account.go
index c02ca9f30a..1e9b70c2de 100644
--- a/ocis-pkg/middleware/account.go
+++ b/ocis-pkg/middleware/account.go
@@ -67,7 +67,11 @@ func ExtractAccountUUID(opts ...account.Option) func(http.Handler) http.Handler
 			ctx = context.WithValue(ctx, UUIDKey, u.Id.OpaqueId)
 			// TODO: implement token manager in cs3org/reva that uses generic metadata instead of access token from header.
 			ctx = metadata.Set(ctx, AccountID, u.Id.OpaqueId)
-			ctx = metadata.Set(ctx, RoleIDs, string(u.Opaque.Map["roles"].Value))
+			if u.Opaque != nil {
+				if roles, ok := u.Opaque.Map["roles"]; ok {
+					ctx = metadata.Set(ctx, RoleIDs, string(roles.Value))
+				}
+			}
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}