diff --git a/changelog/unreleased/fix-lw-apps.md b/changelog/unreleased/fix-lw-apps.md
new file mode 100644
index 0000000000..5555daf375
--- /dev/null
+++ b/changelog/unreleased/fix-lw-apps.md
@@ -0,0 +1,3 @@
+Bugfix: Fix open in app for lightweight accounts
+
+https://github.com/cs3org/reva/pull/3626
diff --git a/internal/grpc/interceptors/auth/scope.go b/internal/grpc/interceptors/auth/scope.go
index ddd31c7e91..e78aa56b72 100644
--- a/internal/grpc/interceptors/auth/scope.go
+++ b/internal/grpc/interceptors/auth/scope.go
@@ -79,7 +79,9 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s
 					return nil
 				}
 			}
-			log.Err(err).Msgf("error resolving reference %s under scope %+v", ref.String(), k)
+			if err != nil {
+				log.Err(err).Msgf("error resolving reference %s under scope %+v", ref.String(), k)
+			}
 		}
 	}
 
@@ -110,6 +112,8 @@ func checkLightweightScope(ctx context.Context, req interface{}, tokenScope map[
 		return true
 	case *provider.StatRequest:
 		return true
+	case *appregistry.GetAppProvidersRequest:
+		return true
 	case *provider.ListContainerRequest:
 		return hasPermissions(ctx, client, r.GetRef(), &provider.ResourcePermissions{
 			ListContainer: true,
@@ -142,11 +146,11 @@ func checkLightweightScope(ctx context.Context, req interface{}, tokenScope map[
 			return false
 		}
 		return hasPermissions(ctx, client, parent, &provider.ResourcePermissions{
-			InitiateFileDownload: true,
+			InitiateFileUpload: true,
 		})
 	case *provider.DeleteRequest:
 		return hasPermissions(ctx, client, r.GetRef(), &provider.ResourcePermissions{
-			InitiateFileDownload: true,
+			Delete: true,
 		})
 	case *provider.MoveRequest:
 		return hasPermissions(ctx, client, r.Source, &provider.ResourcePermissions{