diff --git a/keystone/contrib/roles/controllers.py b/keystone/contrib/roles/controllers.py
index cd9bfa5d4a..71c0c0d605 100644
--- a/keystone/contrib/roles/controllers.py
+++ b/keystone/contrib/roles/controllers.py
@@ -13,6 +13,7 @@
 # under the License.
 
 import itertools
+import datetime
 
 from keystone import exception
 from keystone.common import controller
@@ -414,6 +415,9 @@ def validate_oauth2_token(self, context, token_id):
             # We validate the token but no user info is provided
             return {
             }
+
+        if not token['valid'] or datetime.datetime.strptime(token['expires_at'], '%Y-%m-%d %H:%M:%S') < datetime.datetime.today():
+            raise exception.Unauthorized
             
         user = self.identity_api.get_user(token['authorizing_user_id'])