diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
index 00b1eb6..07344fd 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
@@ -25,18 +25,9 @@
 public class OAuth2AccessTokenTest extends SpringJerseyTest {
 
     // test access token for username: dory
-    private static String testAccessToken;
-
-    @BeforeClass
-    public static void init () throws IOException {
-        InputStream is = OAuth2AccessTokenTest.class.getClassLoader()
-                .getResourceAsStream("test-oauth2.token");
-
-        try (BufferedReader reader =
-                new BufferedReader(new InputStreamReader(is));) {
-            testAccessToken = reader.readLine();
-        }
-    }
+    // see:
+    // full/src/main/resources/db/insert/V3.5__insert_oauth2_clients.sql
+    private static String testAccessToken = "249c64a77f40e2b5504982cc5521b596";
 
     @Test
     public void testListVC () throws KustvaktException {
@@ -84,7 +75,8 @@
         JsonNode node = JsonUtils.readTree(ent);
         assertEquals(StatusCodes.INVALID_ACCESS_TOKEN,
                 node.at("/errors/0/0").asInt());
-        assertEquals("Access token is not found", node.at("/errors/0/1").asText());
+        assertEquals("Access token is not found",
+                node.at("/errors/0/1").asText());
     }
 
     @Test
@@ -97,12 +89,13 @@
                 .get(ClientResponse.class);
 
         String ent = response.getEntity(String.class);
-        
+
         assertEquals(ClientResponse.Status.UNAUTHORIZED.getStatusCode(),
                 response.getStatus());
 
         JsonNode node = JsonUtils.readTree(ent);
         assertEquals(StatusCodes.EXPIRED, node.at("/errors/0/0").asInt());
-        assertEquals("Access token is expired", node.at("/errors/0/1").asText());
+        assertEquals("Access token is expired",
+                node.at("/errors/0/1").asText());
     }
 }
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
index 6594fdd..9032c67 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
@@ -13,6 +13,7 @@
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
 
+import org.apache.http.HttpStatus;
 import org.apache.http.entity.ContentType;
 import org.apache.oltu.oauth2.common.message.types.TokenType;
 import org.junit.Test;
@@ -27,6 +28,7 @@
 import com.nimbusds.jose.crypto.RSASSAVerifier;
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 import com.sun.jersey.api.client.ClientHandlerException;
 import com.sun.jersey.api.client.ClientResponse;
@@ -38,6 +40,7 @@
 import de.ids_mannheim.korap.config.FullConfiguration;
 import de.ids_mannheim.korap.config.SpringJerseyTest;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.exceptions.StatusCodes;
 import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;
 import de.ids_mannheim.korap.utils.JsonUtils;
 
@@ -185,7 +188,6 @@
             throws KustvaktException {
 
         ClientResponse response = sendAuthorizationRequest(form);
-        System.out.println(response.getEntity(String.class));
         URI location = response.getLocation();
         assertEquals(MediaType.APPLICATION_FORM_URLENCODED,
                 response.getType().toString());
@@ -254,21 +256,54 @@
     }
 
     @Test
+    public void testRequestAuthorizationCodeAuthenticationTooOld ()
+            throws KustvaktException {
+        MultivaluedMap<String, String> form = new MultivaluedMapImpl();
+        form.add("response_type", "code");
+        form.add("client_id", "fCBbQkAyYzI4NzUxMg");
+        form.add("redirect_uri", redirectUri);
+        form.add("scope", "openid");
+        form.add("max_age", "1800");
+
+        ClientResponse response =
+                resource().path("oauth2").path("openid").path("authorize")
+                        .header(Attributes.AUTHORIZATION,
+                                "Bearer 249c64a77f40e2b5504982cc5521b596")
+                        .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
+                        .header(HttpHeaders.CONTENT_TYPE,
+                                ContentType.APPLICATION_FORM_URLENCODED)
+                        .entity(form).post(ClientResponse.class);
+
+        assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatus());
+        String entity = response.getEntity(String.class);
+        JsonNode node = JsonUtils.readTree(entity);
+        assertEquals(StatusCodes.USER_REAUTHENTICATION_REQUIRED,
+                node.at("/errors/0/0").asInt());
+        assertEquals(
+                "User reauthentication is required because the authentication "
+                        + "time is too old according to max_age",
+                node.at("/errors/0/1").asText());
+    }
+
+    @Test
     public void testRequestAccessToken ()
             throws KustvaktException, ParseException, InvalidKeySpecException,
             NoSuchAlgorithmException, JOSEException {
         String client_id = "fCBbQkAyYzI4NzUxMg";
+        String nonce = "thisIsMyNonce";
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
         form.add("response_type", "code");
         form.add("client_id", client_id);
         form.add("redirect_uri", redirectUri);
         form.add("scope", "openid");
         form.add("state", "thisIsMyState");
+        form.add("nonce", nonce);
 
         ClientResponse response = sendAuthorizationRequest(form);
         URI location = response.getLocation();
         MultiValueMap<String, String> params =
                 UriComponentsBuilder.fromUri(location).build().getQueryParams();
+        assertEquals("thisIsMyState", params.getFirst("state"));
         String code = params.getFirst("code");
 
         MultivaluedMap<String, String> tokenForm = new MultivaluedMapImpl();
@@ -280,7 +315,6 @@
 
         ClientResponse tokenResponse = sendTokenRequest(tokenForm);
         String entity = tokenResponse.getEntity(String.class);
-        // System.out.println(entity);
 
         JsonNode node = JsonUtils.readTree(entity);
         assertNotNull(node.at("/access_token").asText());
@@ -291,12 +325,12 @@
         String id_token = node.at("/id_token").asText();
         assertNotNull(id_token);
 
-        verifyingIdToken(id_token, username, client_id);
+        verifyingIdToken(id_token, username, client_id, nonce);
     }
 
     private void verifyingIdToken (String id_token, String username,
-            String client_id) throws ParseException, InvalidKeySpecException,
-            NoSuchAlgorithmException, JOSEException {
+            String client_id, String nonce) throws ParseException,
+            InvalidKeySpecException, NoSuchAlgorithmException, JOSEException {
         JWKSet keySet = config.getPublicKeySet();
         RSAKey publicKey = (RSAKey) keySet.getKeyByKeyId(config.getRsaKeyId());
 
@@ -304,13 +338,13 @@
         JWSVerifier verifier = new RSASSAVerifier(publicKey);
         assertTrue(signedJWT.verify(verifier));
 
-        assertEquals(client_id,
-                signedJWT.getJWTClaimsSet().getAudience().get(0));
-        assertEquals(username, signedJWT.getJWTClaimsSet().getSubject());
-        assertEquals(config.getIssuerURI().toString(),
-                signedJWT.getJWTClaimsSet().getIssuer());
-        assertTrue(new Date()
-                .before(signedJWT.getJWTClaimsSet().getExpirationTime()));
+        JWTClaimsSet claimsSet = signedJWT.getJWTClaimsSet();
+        assertEquals(client_id, claimsSet.getAudience().get(0));
+        assertEquals(username, claimsSet.getSubject());
+        assertEquals(config.getIssuerURI().toString(), claimsSet.getIssuer());
+        assertTrue(new Date().before(claimsSet.getExpirationTime()));
+        assertNotNull(claimsSet.getClaim(Attributes.AUTHENTICATION_TIME));
+        assertEquals(nonce, claimsSet.getClaim("nonce"));
     }
 
     @Test
@@ -319,14 +353,14 @@
                 .path("jwks").get(ClientResponse.class);
         String entity = response.getEntity(String.class);
         JsonNode node = JsonUtils.readTree(entity);
-        assertEquals(1,node.at("/keys").size());
+        assertEquals(1, node.at("/keys").size());
         node = node.at("/keys/0");
         assertEquals("RSA", node.at("/kty").asText());
         assertEquals(config.getRsaKeyId(), node.at("/kid").asText());
         assertNotNull(node.at("/e").asText());
         assertNotNull(node.at("/n").asText());
     }
- 
+
     @Test
     public void testOpenIDConfiguration () throws KustvaktException {
         ClientResponse response = resource().path("oauth2").path("openid")
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
index 9ff8db4..89b0f3c 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
@@ -178,6 +178,7 @@
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
                 .get(ClientResponse.class);
         String entity = response.getEntity(String.class);
+        System.out.println(entity);
         JsonNode node = JsonUtils.readTree(entity);
         assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
         assertEquals(StatusCodes.AUTHORIZATION_FAILED,
diff --git a/full/src/test/resources/kustvakt-test.conf b/full/src/test/resources/kustvakt-test.conf
index 9061918..6a6b5c2 100644
--- a/full/src/test/resources/kustvakt-test.conf
+++ b/full/src/test/resources/kustvakt-test.conf
@@ -62,7 +62,7 @@
 openid.token.signing.algorithms = RS256
 openid.subject.types = public
 openid.display.types = page
-openid.supported.scopes = openid email
+openid.supported.scopes = openid email auth_time
 openid.support.claim.param = false
 openid.claim.types = normal
 openid.supported.claims = iss sub aud exp iat
diff --git a/full/src/test/resources/test-oauth2.token b/full/src/test/resources/test-oauth2.token
deleted file mode 100644
index eb7b4af..0000000
--- a/full/src/test/resources/test-oauth2.token
+++ /dev/null
@@ -1 +0,0 @@
-249c64a77f40e2b5504982cc5521b596
\ No newline at end of file