diff --git a/common/djangoapps/entitlements/rest_api/v1/serializers.py b/common/djangoapps/entitlements/rest_api/v1/serializers.py
index a64d6d25bb31..580550b021c4 100644
--- a/common/djangoapps/entitlements/rest_api/v1/serializers.py
+++ b/common/djangoapps/entitlements/rest_api/v1/serializers.py
@@ -50,7 +50,8 @@ class CourseEntitlementSupportDetailSerializer(serializers.ModelSerializer):
         slug_field='username',
         default=serializers.CurrentUserDefault()
     )
-    unenrolled_run = CourseKeyField('unenrolled_run.id')
+    # @medality_custom: this was a fix to a syntax error
+    unenrolled_run = CourseKeyField(source='unenrolled_run.id')
 
     class Meta:
         model = CourseEntitlementSupportDetail
diff --git a/openedx/core/djangoapps/oauth_dispatch/adapters/dot.py b/openedx/core/djangoapps/oauth_dispatch/adapters/dot.py
index 384d6f9760d9..c96b0465f4b8 100644
--- a/openedx/core/djangoapps/oauth_dispatch/adapters/dot.py
+++ b/openedx/core/djangoapps/oauth_dispatch/adapters/dot.py
@@ -65,14 +65,16 @@ def get_access_token(self, token_string):
         """
         Given a token string, return the matching AccessToken object.
         """
-        return models.AccessToken.objects.get(token=token_string)
+        # @medality_custom
+        return models.get_access_token_model().objects.get(token=token_string)
 
     def create_access_token_for_test(self, token_string, client, user, expires):
         """
         Returns a new AccessToken object created from the given arguments.
         This method is currently used only by tests.
         """
-        return models.AccessToken.objects.create(
+        # @medality_custom
+        return models.get_access_token_model().objects.create(
             token=token_string,
             application=client,
             user=user,
diff --git a/openedx/core/djangoapps/oauth_dispatch/admin.py b/openedx/core/djangoapps/oauth_dispatch/admin.py
index 333d4a3d4f2f..6316937df053 100644
--- a/openedx/core/djangoapps/oauth_dispatch/admin.py
+++ b/openedx/core/djangoapps/oauth_dispatch/admin.py
@@ -29,8 +29,8 @@ def decorator(cls):
 
     return decorator
 
-
-@reregister(models.AccessToken)
+# @medality_custom
+@reregister(models.get_access_token_model())
 class DOTAccessTokenAdmin(ModelAdmin):
     """
     Custom AccessToken Admin
diff --git a/openedx/core/djangoapps/oauth_dispatch/dot_overrides/validators.py b/openedx/core/djangoapps/oauth_dispatch/dot_overrides/validators.py
index 0b2ad35b2f42..0b319ea69bb7 100644
--- a/openedx/core/djangoapps/oauth_dispatch/dot_overrides/validators.py
+++ b/openedx/core/djangoapps/oauth_dispatch/dot_overrides/validators.py
@@ -8,7 +8,8 @@
 from django.contrib.auth import authenticate, get_user_model
 from django.db.models.signals import pre_save
 from django.dispatch import receiver
-from oauth2_provider.models import AccessToken
+# @medality_custom
+from oauth2_provider import models
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.scopes import get_scopes_backend
 from pytz import utc
@@ -17,7 +18,8 @@
 # pylint: disable=W0223
 
 
-@receiver(pre_save, sender=AccessToken)
+# @medality_custom
+@receiver(pre_save, sender=models.get_access_token_model())
 def on_access_token_presave(sender, instance, *args, **kwargs):  # pylint: disable=unused-argument
     """
     Mark AccessTokens as expired for 'restricted applications' if required.
@@ -108,7 +110,8 @@ def _update_token_expiry_if_restricted_client(self, token, client):
         # and calculate expires_in (in seconds) from the database value. This
         # value should be a negative value, meaning that it is already expired.
         if RestrictedApplication.should_expire_access_token(client):
-            access_token = AccessToken.objects.get(token=token['access_token'])
+            # @medality_custom
+            access_token = models.get_access_token_model().objects.get(token=token['access_token'])
             expires_in = (access_token.expires - _get_utc_now()).total_seconds()
             assert expires_in < 0
             token['expires_in'] = expires_in
@@ -126,7 +129,8 @@ def _update_token_expiry_if_overridden_in_request(self, token, request):
         """
         expires_in = getattr(request, 'expires_in', None)
         if expires_in:
-            access_token = AccessToken.objects.get(token=token['access_token'])
+            # @medality_custom
+            access_token = models.get_access_token_model().objects.get(token=token['access_token'])
             access_token.expires = _get_utc_now() + timedelta(seconds=expires_in)
             access_token.save()
             token['expires_in'] = expires_in
diff --git a/openedx/core/djangoapps/user_authn/cookies.py b/openedx/core/djangoapps/user_authn/cookies.py
index 24f929698fa7..404458e5c2ce 100644
--- a/openedx/core/djangoapps/user_authn/cookies.py
+++ b/openedx/core/djangoapps/user_authn/cookies.py
@@ -14,7 +14,8 @@
 from django.utils.http import http_date, parse_http_date
 from edx_rest_framework_extensions.auth.jwt import cookies as jwt_cookies
 from edx_rest_framework_extensions.auth.jwt.constants import JWT_DELIMITER
-from oauth2_provider.models import Application
+# @medality_custom
+from oauth2_provider import models as oauth_models
 from common.djangoapps.student.models import UserProfile
 
 from openedx.core.djangoapps.oauth_dispatch.adapters import DOTAdapter
@@ -354,6 +355,8 @@ def _get_login_oauth_client():
     Returns the configured OAuth Client/Application used for Login.
     """
     login_client_id = settings.JWT_AUTH['JWT_LOGIN_CLIENT_ID']
+    # @medality_custom
+    Application = oauth_models.get_application_model()
     try:
         return Application.objects.get(client_id=login_client_id)
     except Application.DoesNotExist:
diff --git a/openedx/core/lib/api/authentication.py b/openedx/core/lib/api/authentication.py
index a762d398b378..7acc47dc4bb3 100644
--- a/openedx/core/lib/api/authentication.py
+++ b/openedx/core/lib/api/authentication.py
@@ -92,7 +92,14 @@ def authenticate_credentials(self, access_token):
             })
         else:
             user = token.user
-            has_application = dot_models.Application.objects.filter(user_id=user.id)
+            # @medality_custom start
+            if not token.is_valid():
+                raise AuthenticationFailed({
+                    'error_code': OAUTH2_TOKEN_ERROR,
+                    'developer_message': 'The provided access token is not valid.'
+                })
+            has_application = dot_models.get_application_model().objects.filter(user_id=user.id)
+            # @medality_custom end
             if not user.has_usable_password() and not has_application:
                 msg = 'User disabled by admin: %s' % user.get_username()
                 raise AuthenticationFailed({
@@ -116,7 +123,8 @@ def get_access_token(self, access_token):
         Return a valid access token stored by django-oauth-toolkit (DOT), or
         None if no matching token is found.
         """
-        token_query = dot_models.AccessToken.objects.select_related('user')
+        # @medality_custom
+        token_query = dot_models.get_access_token_model().objects.select_related('user')
         return token_query.filter(token=access_token).first()
 
     def authenticate_header(self, request):