diff --git a/changelog/unreleased/check-public-auth-first.md b/changelog/unreleased/check-public-auth-first.md
new file mode 100644
index 00000000000..139af0b2f3f
--- /dev/null
+++ b/changelog/unreleased/check-public-auth-first.md
@@ -0,0 +1,5 @@
+Bugfix: Check public auth first
+
+When authenticating in proxy, first check for public link authorization.
+
+https://github.com/owncloud/ocis/pull/6900
diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go
index c3d95ed669b..86c99c9601a 100644
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -349,6 +349,10 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config,
 		})
 	}
 
+	authenticators = append(authenticators, middleware.PublicShareAuthenticator{
+		Logger:              logger,
+		RevaGatewaySelector: gatewaySelector,
+	})
 	authenticators = append(authenticators, middleware.NewOIDCAuthenticator(
 		middleware.Logger(logger),
 		middleware.UserInfoCache(userInfoCache),
@@ -363,10 +367,6 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config,
 			oidc.WithJWKSOptions(cfg.OIDC.JWKS),
 		)),
 	))
-	authenticators = append(authenticators, middleware.PublicShareAuthenticator{
-		Logger:              logger,
-		RevaGatewaySelector: gatewaySelector,
-	})
 	authenticators = append(authenticators, middleware.SignedURLAuthenticator{
 		Logger:             logger,
 		PreSignedURLConfig: cfg.PreSignedURL,