diff --git a/src/oidcserver.js b/src/oidcserver.js
index f19e9f007..3f4c96d31 100644
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -651,14 +651,14 @@ async function start() {
                     // first default check of the module to ensure this is a valid client with auth
                     if (client.clientAuthMethod === 'none' && token.clientId !== ctx.oidc.client.clientId) return false;
 
-                    const internalClient = await oidcClients.get(token.clientId);
+                    const internalClient = await oidcClients.get(ctx.oidc.client.clientId);
                     if (!internalClient) return false;
 
                     // check if we have an app, if so we have to check access
                     const internalApp = internalClient.appId ? await apps.get(internalClient.appId) : null;
                     if (internalApp) {
                         const user = await users.getByUsername(token.accountId);
-                        return apps.canAccess(app, user);
+                        return apps.canAccess(internalApp, user);
                     }
 
                     // unknown app