diff --git a/oidc_provider/lib/endpoints/token.py b/oidc_provider/lib/endpoints/token.py
index b98d40a..15a92e4 100644
--- a/oidc_provider/lib/endpoints/token.py
+++ b/oidc_provider/lib/endpoints/token.py
@@ -163,9 +163,8 @@ class TokenEndpoint(object):
         # Store the token.
         token.save()
 
-        # We don't need to store the code anymore.
-        self.token.refresh_token = None
-        self.token.save()
+        # Forget the old token.
+        self.token.delete()
 
         dic = {
             'access_token': token.access_token,
diff --git a/oidc_provider/tests/test_token_endpoint.py b/oidc_provider/tests/test_token_endpoint.py
index 6a373b4..f17f670 100644
--- a/oidc_provider/tests/test_token_endpoint.py
+++ b/oidc_provider/tests/test_token_endpoint.py
@@ -100,6 +100,13 @@ class TokenTestCase(TestCase):
         SIGKEYS.load_dict(jwks_dic)
         return SIGKEYS
 
+    def _get_userinfo(self, access_token):
+        url = reverse('oidc_provider:userinfo')
+        request = self.factory.get(url)
+        request.META['HTTP_AUTHORIZATION'] = 'Bearer ' + access_token
+
+        return userinfo(request)
+
     @override_settings(OIDC_TOKEN_EXPIRE=720)
     def test_authorization_code(self):
         """
@@ -170,6 +177,10 @@ class TokenTestCase(TestCase):
         response = self._post_request(post_data)
         self.assertIn('invalid_grant', response.content.decode('utf-8'))
 
+        # Old access token is invalidated
+        self.assertEqual(self._get_userinfo(response_dic1['access_token']).status_code, 401)
+        self.assertEqual(self._get_userinfo(response_dic2['access_token']).status_code, 200)
+
         # Empty refresh token is invalid
         post_data = self._refresh_token_post_data('')
         response = self._post_request(post_data)