diff --git a/proxy/pkg/middleware/account_uuid.go b/proxy/pkg/middleware/account_uuid.go
index 0838f99e5c9..7d3611fd228 100644
--- a/proxy/pkg/middleware/account_uuid.go
+++ b/proxy/pkg/middleware/account_uuid.go
@@ -93,12 +93,15 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler {
 				if opt.EnableBasicAuth && ok {
 					l.Warn().Msg("basic auth enabled, use only for testing or development")
 					account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("login eq '%s' and password eq '%s'", strings.ReplaceAll(login, "'", "''"), strings.ReplaceAll(password, "'", "''")))
-					if status != 0 {
-						w.WriteHeader(status)
+					if status == 0 {
+						// fake claims for the subsequent code flow
+						claims = &oidc.StandardClaims{
+							Iss: opt.OIDCIss,
+						}
+					} else {
+						// tell client to reauthenticate
+						w.WriteHeader(http.StatusUnauthorized)
 						return
-					}					// fake claims for the subsequent code flow
-					claims = &oidc.StandardClaims{
-						Iss: opt.OIDCIss,
 					}
 				} else {
 					next.ServeHTTP(w, r)