diff --git a/changelog/unreleased/fix-basic-auth-config.md b/changelog/unreleased/fix-basic-auth-config.md
new file mode 100644
index 000000000..8df9b0524
--- /dev/null
+++ b/changelog/unreleased/fix-basic-auth-config.md
@@ -0,0 +1,6 @@
+Bugfix: Fix basic auth config
+
+Users could authenticate using basic auth even though `PROXY_ENABLE_BASIC_AUTH` was set to false.
+
+https://github.com/owncloud/ocis/pull/2719
+https://github.com/owncloud/ocis/issues/2466
diff --git a/storage/pkg/command/frontend.go b/storage/pkg/command/frontend.go
index 43fb59a6f..c2fc65405 100644
--- a/storage/pkg/command/frontend.go
+++ b/storage/pkg/command/frontend.go
@@ -162,6 +162,7 @@ func frontendConfigFromStruct(c *cli.Context, cfg *config.Config, filesCfg map[s
 				},
 				"auth": map[string]interface{}{
 					"credentials_by_user_agent": cfg.Reva.Frontend.Middleware.Auth.CredentialsByUserAgent,
+					"credential_chain":          []string{"bearer"},
 				},
 			},
 			// TODO build services dynamically