diff --git a/README.md b/README.md
index ca093b5e420fb99aa8a3a2c56b7886416565333a..ca0046b27e61b336e8742702950babe5d379379a 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,14 @@ To run:
 
     docker run --env-file docker-env -d -p 8081:8081 -i -t gms:latest
 
+## Create the first super-admin
+
+The first super admin user must be added manually, then he/she will be able to add other administrators from the UI:
+
+    INSERT INTO gms_permission (group_id, user_id, permission, group_path) VALUES('ROOT', '1', 'ADMIN', '');
+
+The value `user_id` is the RAP user id.
+
 ## Command line clients
 
 To add a command line client first generate the sha256 of its password:
diff --git a/database/Dockerfile b/database/Dockerfile
index bb94ba24410f4c8ecb08ee2d5b253402c09318a8..d73d745e998d0dc26db7a3812fcb68daeba9ea7b 100644
--- a/database/Dockerfile
+++ b/database/Dockerfile
@@ -1,3 +1,4 @@
 FROM library/postgres:11
 COPY gms/src/main/resources/sql/init.sql /docker-entrypoint-initdb.d/
 COPY database/user.sql /docker-entrypoint-initdb.d/
+ENV POSTGRES_HOST_AUTH_METHOD=trust
diff --git a/gms/src/main/java/it/inaf/ia2/gms/authn/CustomIdTokenConverter.java b/gms/src/main/java/it/inaf/ia2/gms/authn/CustomIdTokenConverter.java
index b4582d40acd54b8cf1b624637e2a3fb1892af88e..ee5d1e5436631efebcd672b3bcd8691b8a8ad078 100644
--- a/gms/src/main/java/it/inaf/ia2/gms/authn/CustomIdTokenConverter.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/authn/CustomIdTokenConverter.java
@@ -23,10 +23,11 @@ public class CustomIdTokenConverter extends DefaultUserAuthenticationConverter {
     @Override
     public Authentication extractAuthentication(Map<String, ?> map) {
 
-        String idToken = (String) map.get("id_token");
-
-        OAuth2AccessToken token = jwkTokenStore.readAccessToken(idToken);
+        String idTokenString = (String) map.get("id_token");
+        String accessTokenString = (String) map.get("access_token");
 
+        OAuth2AccessToken token = jwkTokenStore.readAccessToken(idTokenString);
+        OAuth2AccessToken accessToken = jwkTokenStore.readAccessToken(accessTokenString);
         String refreshToken = (String) map.get("refresh_token");
 
         Map<String, Object> claims = token.getAdditionalInformation();
@@ -36,6 +37,6 @@ public class CustomIdTokenConverter extends DefaultUserAuthenticationConverter {
 
         List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
 
-        return new CustomAuthenticationData(principal, claims, authorities, token, refreshToken);
+        return new CustomAuthenticationData(principal, claims, authorities, accessToken, refreshToken);
     }
 }
diff --git a/gms/src/main/resources/application.properties b/gms/src/main/resources/application.properties
index 9b45427b460d37cdb2b97d7c51910ae715ddc801..902956eea2233d4fb75a29a570ba10f3973f39de 100644
--- a/gms/src/main/resources/application.properties
+++ b/gms/src/main/resources/application.properties
@@ -8,7 +8,7 @@ security.oauth2.client.client-secret=gms-secret
 security.oauth2.client.access-token-uri=http://localhost/rap-ia2/auth/oauth2/token
 security.oauth2.client.user-authorization-uri=http://localhost/rap-ia2/auth/oauth2/authorize
 security.oauth2.resource.token-info-uri=http://localhost/rap-ia2/auth/oauth2/check_token
-security.oauth2.client.scope=openid,email,profile
+security.oauth2.client.scope=openid,email,profile,read:rap
 security.oauth2.resource.jwk.key-set-uri=http://localhost/rap-ia2/auth/oidc/jwks
 
 logging.level.it.inaf=TRACE