diff --git a/CHANGELOG.md b/CHANGELOG.md
index b6773d9..f115338 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
-## [1.0.0] - 2020-09-16
+## [1.0.0] - 2020-10-16
 
 ### Added
 
@@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ### Changed
 
+- Properly handle token expiry in the sabre dav auth backend - [#108](https://github.com/owncloud/openidconnect/pull/108)
 - Limit OpenID Connect logins to users of specific user backend - [#100](https://github.com/owncloud/openidconnect/issues/100)
 - Properly evaluate the config setting use-token-introspection-endpoint - [#98](https://github.com/owncloud/openidconnect/issues/98)
 - Bump libraries
diff --git a/lib/Sabre/OpenIdSabreAuthBackend.php b/lib/Sabre/OpenIdSabreAuthBackend.php
index 231dc2d..b848510 100644
--- a/lib/Sabre/OpenIdSabreAuthBackend.php
+++ b/lib/Sabre/OpenIdSabreAuthBackend.php
@@ -110,18 +110,23 @@ private function isDavAuthenticated($username) {
 	protected function validateBearerToken($bearerToken) {
 		if ($this->userSession->isLoggedIn() &&
 			$this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
+			try {
 
-			// verify the bearer token
-			$tokenUser = $this->authModule->authToken($bearerToken);
-			if ($tokenUser === null) {
+				// verify the bearer token
+				$tokenUser = $this->authModule->authToken($bearerToken);
+				if ($tokenUser === null) {
+					return false;
+				}
+
+				// setup the user
+				$userId = $this->userSession->getUser()->getUID();
+				$this->setupFilesystem($userId);
+				$this->session->close();
+				return $this->principalPrefix . $userId;
+			} catch (\Exception $ex) {
+				$this->session->close();
 				return false;
 			}
-
-			// setup the user
-			$userId = $this->userSession->getUser()->getUID();
-			$this->setupFilesystem($userId);
-			$this->session->close();
-			return $this->principalPrefix . $userId;
 		}
 
 		$this->setupFilesystem();
diff --git a/tests/unit/Sabre/OpenIdSabreAuthBackendTest.php b/tests/unit/Sabre/OpenIdSabreAuthBackendTest.php
index 2d7d3db..a289856 100644
--- a/tests/unit/Sabre/OpenIdSabreAuthBackendTest.php
+++ b/tests/unit/Sabre/OpenIdSabreAuthBackendTest.php
@@ -23,6 +23,7 @@
 namespace OCA\OpenIdConnect\Tests\Unit\Sabre;
 
 use OC\HintException;
+use OC\User\LoginException;
 use OC\User\Session;
 use OCA\OpenIdConnect\OpenIdConnectAuthModule;
 use OCA\OpenIdConnect\Sabre\OpenIdSabreAuthBackend;
@@ -152,4 +153,17 @@ public function testNotLoggedInWithValidToken(): void {
 		$return = $this->backend->check($this->sabreRequest, $this->sabreResponse);
 		self::assertEquals([true, 'principals/users/alice'], $return);
 	}
+
+	public function testTokenExpiry(): void {
+		$this->userSession->method('isLoggedIn')->willReturn(true);
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('alice');
+		$this->userSession->method('getUser')->willReturn($user);
+		$this->session->method('get')->with(OpenIdSabreAuthBackend::DAV_AUTHENTICATED)->willReturn('alice');
+
+		$this->authModule->expects(self::once())->method('authToken')->with('1234567890')->willThrowException(new LoginException(':zzz:'));
+
+		$return = $this->backend->check($this->sabreRequest, $this->sabreResponse);
+		self::assertEquals([false, 'Bearer token was incorrect'], $return);
+	}
 }