diff --git a/src/rm/RequestManagerUser.cc b/src/rm/RequestManagerUser.cc
index 29c3e12304..03901f64a1 100644
--- a/src/rm/RequestManagerUser.cc
+++ b/src/rm/RequestManagerUser.cc
@@ -503,7 +503,7 @@ void UserLogin::request_execute(xmlrpc_c::paramList const& paramList,
     }
     else if (valid > 0 || valid == -1)
     {
-        if ( egid != -1 && !user->is_in_group(egid) )
+        if ( egid != -1 && (!user->is_in_group(egid) || att.group_ids.count(egid) == 0) )
         {
             att.resp_msg = "EGID is not in user group list";
             failure_response(XML_RPC_API,  att);
@@ -512,6 +512,15 @@ void UserLogin::request_execute(xmlrpc_c::paramList const& paramList,
             return;
         }
 
+        if ( egid == -1 && user->get_groups() != att.group_ids )
+        {
+            att.resp_msg = "Cannot request unscoped token from scoped token";
+            failure_response(XML_RPC_API,  att);
+
+            user->unlock();
+            return;
+        }
+
         if ( user->login_tokens.set(token, valid, egid) != 0 )
         {
             att.resp_msg = "Max number of tokens limit reached.";