diff --git a/src/actors/openid_sessions_actor.rs b/src/actors/openid_sessions_actor.rs
index 1a818b2..bef589f 100644
--- a/src/actors/openid_sessions_actor.rs
+++ b/src/actors/openid_sessions_actor.rs
@@ -28,7 +28,7 @@ pub struct Session {
 
 impl Session {
     pub fn is_expired(&self) -> bool {
-        self.code_expire_on < time() || self.token_expire_at < time()
+        self.code_expire_on < time() && self.token_expire_at < time()
     }
 }
 
diff --git a/src/controllers/openid_controller.rs b/src/controllers/openid_controller.rs
index 5654264..540cf38 100644
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@@ -111,7 +111,11 @@ pub async fn authorize(user: CurrentUser, query: web::Query<AuthorizeQuery>,
         (_, _) => None
     };
 
-    // TODO : Check if user is authorized to access the application
+    // Check if user is authorized to access the application
+    if !user.can_access_app(&client.id) {
+        return error_redirect(&query, "invalid_request",
+                              "User is not authorized to access this application!");
+    }
 
     // Save all authentication information in memory
     let session = Session {