diff --git a/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/AbstractKeycloakFilter.java b/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/AbstractKeycloakFilter.java
index ad78dc07ce..865a52c8ff 100644
--- a/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/AbstractKeycloakFilter.java
+++ b/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/AbstractKeycloakFilter.java
@@ -38,14 +38,16 @@ public abstract class AbstractKeycloakFilter implements Filter {
   /** when a request came from a machine with valid token then auth is not required */
   protected boolean shouldSkipAuthentication(HttpServletRequest request, String token) {
     if (token == null) {
+      if (request.getRequestURI() != null
+          && request.getRequestURI().endsWith("api/keycloak/OIDCKeycloak.js")) {
+        return true;
+      }
       return false;
     }
     try {
       final PublicKey publicKey = signatureKeyManager.getKeyPair().getPublic();
       final Jwt jwt = Jwts.parser().setSigningKey(publicKey).parse(token);
-      return MACHINE_TOKEN_KIND.equals(jwt.getHeader().get("kind"))
-          || (request.getRequestURI() != null
-              && request.getRequestURI().endsWith("api/keycloak/OIDCKeycloak.js"));
+      return MACHINE_TOKEN_KIND.equals(jwt.getHeader().get("kind"));
     } catch (ExpiredJwtException | MalformedJwtException | SignatureException ex) {
       // given token is not signed by particular signature key so it must be checked in another way
       return false;
diff --git a/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/AbstractKeycloakFilterTest.java b/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/AbstractKeycloakFilterTest.java
index 1d94b730c9..9b02d58af7 100644
--- a/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/AbstractKeycloakFilterTest.java
+++ b/multiuser/keycloak/che-multiuser-keycloak-server/src/test/java/org/eclipse/che/multiuser/keycloak/server/AbstractKeycloakFilterTest.java
@@ -65,6 +65,13 @@ public class AbstractKeycloakFilterTest {
             .compact();
 
     when(signatureKeyManager.getKeyPair()).thenReturn(keyPair);
+    when(request.getRequestURI()).thenReturn(null);
+  }
+
+  @Test
+  public void testShouldSkipAuthWhenRetrievingOIDCKeycloakJsFile() {
+    when(request.getRequestURI()).thenReturn("https://localhost:8080/api/keycloak/OIDCKeycloak.js");
+    assertTrue(abstractKeycloakFilter.shouldSkipAuthentication(request, null));
   }
 
   @Test