diff --git a/tests/views/test_oauth2.py b/tests/views/test_oauth2.py
index 8efd0a84fea789cf069665158ce0c875ecc6b274..012ac0849c3d7deecf939ab82d8564ba3ddd7367 100644
--- a/tests/views/test_oauth2.py
+++ b/tests/views/test_oauth2.py
@@ -493,6 +493,10 @@ class TestOIDCBasicProfile(UffdTestCase):
 	def validate_token_response(self, r, nonce='testnonce', client_id='test'):
 		self.assertEqual(r.status_code, 200)
 		self.assertEqual(r.content_type, 'application/json')
+		# OIDC Core 1.0 section 3.1.3.3:
+		# > All Token Responses that contain tokens, secrets, or other sensitive
+		# > information MUST include the following HTTP response header fields and values:
+		# >   Cache-Control: no-store
 		self.assertIn('Cache-Control', r.headers)
 		self.assertEqual(r.headers['Cache-Control'].lower(), 'no-store')
 		for key in r.json:
@@ -514,10 +518,6 @@ class TestOIDCBasicProfile(UffdTestCase):
 			# scope       = scope-token *( SP scope-token )
 			# scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
 			self.assertRegex(r.json['scope'], r'^[!#-\[\]-~]+( [!#-\[\]-~]+)*$')
-		# OIDC Core 1.0 section 3.1.3.3:
-		# > All Token Responses that contain tokens, secrets, or other sensitive
-		# > information MUST include the following HTTP response header fields and values:
-		# >   Cache-Control: no-store
 		self.assertIn('id_token', r.json)
 		return self.validate_id_token(r.json['id_token'], nonce=nonce, client_id=client_id)
 
@@ -566,6 +566,8 @@ class TestOIDCBasicProfile(UffdTestCase):
 		r = self.do_auth_request(response_type='code')
 		args = self.validate_auth_response(r)
 		r = self.do_token_request(grant_type='authorization_code', code=args['code'])
+		print(r, repr(r.response), repr(r.json))
+		self.assertTrue(False)
 		id_token = self.validate_token_response(r)
 		self.assertEqual(id_token['sub'], '10000')
 		r = self.do_userinfo_request(r.json['access_token'])