diff --git a/extensions/oauth/pom.xml b/extensions/oauth/pom.xml
index b59ce25668..df526f5b5d 100644
--- a/extensions/oauth/pom.xml
+++ b/extensions/oauth/pom.xml
@@ -58,6 +58,11 @@
             <groupId>org.slf4j</groupId>
             <artifactId>jcl-over-slf4j</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest-library</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
 </project>
diff --git a/extensions/oauth/src/main/java/com/stormpath/sdk/impl/oauth/authz/DefaultTokenResponse.java b/extensions/oauth/src/main/java/com/stormpath/sdk/impl/oauth/authz/DefaultTokenResponse.java
index 6d485eae99..ce2ec93fc0 100644
--- a/extensions/oauth/src/main/java/com/stormpath/sdk/impl/oauth/authz/DefaultTokenResponse.java
+++ b/extensions/oauth/src/main/java/com/stormpath/sdk/impl/oauth/authz/DefaultTokenResponse.java
@@ -1,11 +1,11 @@
 package com.stormpath.sdk.impl.oauth.authz;
 
 import com.stormpath.sdk.lang.Assert;
+import com.stormpath.sdk.lang.Strings;
 import com.stormpath.sdk.oauth.TokenResponse;
 import org.apache.oltu.oauth2.as.response.OAuthASResponse;
-import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
-import org.apache.oltu.oauth2.common.message.OAuthResponse;
 import org.apache.oltu.oauth2.common.message.types.TokenType;
+import org.json.JSONObject;
 
 import javax.servlet.http.HttpServletResponse;
 
@@ -26,7 +26,7 @@ public class DefaultTokenResponse implements TokenResponse {
 
     private final String applicationHref;
 
-    private final OAuthResponse oAuthResponse;
+    private final JSONObject oAuthResponse;
     private final String idToken;
 
     private DefaultTokenResponse(Builder builder) {
@@ -42,10 +42,22 @@ private DefaultTokenResponse(Builder builder) {
         Assert.hasText(expiresIn);
         Assert.hasText(applicationHref);
 
-        try {
-            oAuthResponse = builder.tokenResponseBuilder.buildJSONMessage();
-        } catch (OAuthSystemException e) {
-            throw new IllegalStateException("Unexpected error when building Json OAuth response.", e);
+        oAuthResponse = new JSONObject();
+        initOAuthResponse();
+    }
+
+    private void initOAuthResponse() {
+        oAuthResponse.put("token_type", tokenType);
+        oAuthResponse.put("access_token", accessToken);
+        oAuthResponse.put("expires_in", Long.parseLong(expiresIn));
+        if (Strings.hasText(scope)) {
+            oAuthResponse.put("scope", scope);
+        }
+        if (Strings.hasText(refreshToken)) {
+            oAuthResponse.put("refresh_token", refreshToken);
+        }
+        if (Strings.hasText(idToken)) {
+            oAuthResponse.put("id_token", idToken);
         }
     }
 
@@ -81,7 +93,7 @@ public String getApplicationHref() {
 
     @Override
     public String toJson() {
-        return oAuthResponse.getBody();
+        return oAuthResponse.toString();
     }
 
     public static Builder tokenType(TokenType tokenType) {
diff --git a/extensions/oauth/src/test/groovy/com/stormpath/sdk/impl/oauth/authz/DefaultTokenResponseTest.groovy b/extensions/oauth/src/test/groovy/com/stormpath/sdk/impl/oauth/authz/DefaultTokenResponseTest.groovy
new file mode 100644
index 0000000000..be098e7c4b
--- /dev/null
+++ b/extensions/oauth/src/test/groovy/com/stormpath/sdk/impl/oauth/authz/DefaultTokenResponseTest.groovy
@@ -0,0 +1,104 @@
+package com.stormpath.sdk.impl.oauth.authz
+
+import com.stormpath.sdk.oauth.TokenResponse
+import org.apache.oltu.oauth2.common.message.types.TokenType
+import org.hamcrest.Matchers
+import org.json.JSONObject
+import org.testng.annotations.Test
+
+import static Matchers.is
+import static org.hamcrest.MatcherAssert.assertThat
+
+class DefaultTokenResponseTest {
+
+    public static final String APP_HREF = "http://test.app.href.com"
+    public static final String ACCESS_TOKEN = "testAccessToken"
+    public static final String REFRESH_TOKEN = "testRefreshToken"
+    public static final String ID_TOKEN = "testIdToken"
+    public static final String SCOPE = "test scope"
+    public static final String EXPIRES_IN = "3600"
+    public static final String TOKEN_TYPE = "Bearer"
+
+    @Test
+    void testBuildCompleteResponse() {
+        TokenResponse tokenResponse = DefaultTokenResponse.tokenType(TokenType.BEARER)
+                .accessToken(ACCESS_TOKEN)
+                .refreshToken(REFRESH_TOKEN)
+                .idToken(ID_TOKEN)
+                .scope(SCOPE)
+                .expiresIn(EXPIRES_IN)
+                .applicationHref(APP_HREF)
+                .build()
+        assertThat(tokenResponse.tokenType, is(TOKEN_TYPE))
+        assertThat(tokenResponse.accessToken, is(ACCESS_TOKEN))
+        assertThat(tokenResponse.refreshToken, is(REFRESH_TOKEN))
+        assertThat(tokenResponse.idToken, is(ID_TOKEN))
+        assertThat(tokenResponse.scope, is(SCOPE))
+        assertThat(tokenResponse.expiresIn, is(EXPIRES_IN))
+        assertThat(tokenResponse.applicationHref, is(APP_HREF))
+    }
+
+    @Test
+    void testJsonWithOnlyAccessToken() {
+        TokenResponse tokenResponse = DefaultTokenResponse.tokenType(TokenType.BEARER)
+                .accessToken(ACCESS_TOKEN)
+                .expiresIn(EXPIRES_IN)
+                .scope(SCOPE)
+                .applicationHref(APP_HREF)
+                .build()
+
+        String json = tokenResponse.toJson()
+        JSONObject actual = new JSONObject(json)
+        assertField(actual, "token_type", TOKEN_TYPE)
+        assertField(actual, "access_token", ACCESS_TOKEN)
+        assertField(actual, "expires_in", EXPIRES_IN)
+        assertField(actual, "scope", SCOPE)
+        assertNoField(actual, "refresh_token")
+        assertNoField(actual, "id_token")
+    }
+
+    @Test
+    void testJsonWithAccessAndRefreshTokens() {
+        TokenResponse tokenResponse = DefaultTokenResponse.tokenType(TokenType.BEARER)
+                .accessToken(ACCESS_TOKEN)
+                .refreshToken(REFRESH_TOKEN)
+                .expiresIn(EXPIRES_IN)
+                .applicationHref(APP_HREF)
+                .build()
+
+        String json = tokenResponse.toJson()
+        JSONObject actual = new JSONObject(json)
+        assertField(actual, "token_type", TOKEN_TYPE)
+        assertField(actual, "access_token", ACCESS_TOKEN)
+        assertField(actual, "refresh_token", REFRESH_TOKEN)
+        assertField(actual, "expires_in", EXPIRES_IN)
+        assertNoField(actual, "id_token")
+    }
+
+    @Test
+    void testJsonWithAccessAndRefreshAndIdTokens() {
+        TokenResponse tokenResponse = DefaultTokenResponse.tokenType(TokenType.BEARER)
+                .accessToken(ACCESS_TOKEN)
+                .refreshToken(REFRESH_TOKEN)
+        .idToken(ID_TOKEN)
+                .expiresIn(EXPIRES_IN)
+                .applicationHref(APP_HREF)
+                .build()
+
+        String json = tokenResponse.toJson()
+        JSONObject actual = new JSONObject(json)
+        assertField(actual, "token_type", TOKEN_TYPE)
+        assertField(actual, "access_token", ACCESS_TOKEN)
+        assertField(actual, "refresh_token", REFRESH_TOKEN)
+        assertField(actual, "id_token", ID_TOKEN)
+        assertField(actual, "expires_in", EXPIRES_IN)
+    }
+
+    private static void assertField(JSONObject actual, String field, String expected) {
+        assertThat("${field} in ${actual.toString(2)}", actual.optString(field), is(expected))
+    }
+
+    private static void assertNoField(JSONObject actual, String field) {
+        assertThat("${field} present in ${actual.toString(2)}", actual.has(field), is(false))
+    }
+}