diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
index 6c7e8d0e5..6f8f11362 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@@ -235,7 +235,14 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		ClientDetailsEntity client = refreshToken.getClient();
 
 		AuthenticationHolderEntity authHolder = refreshToken.getAuthenticationHolder();
-
+		
+		// make sure that the client requesting the token is the one who owns the refresh token
+		ClientDetailsEntity requestingClient = clientDetailsService.loadClientByClientId(authRequest.getClientId());
+		if (requestingClient.getClientId() != client.getClientId()) {
+			tokenRepository.removeRefreshToken(refreshToken);
+			throw new InvalidClientException("Client does not own the presented refresh token");
+		}
+		
 		//Make sure this client allows access token refreshing
 		if (!client.isAllowRefresh()) {
 			throw new InvalidClientException("Client does not allow refreshing access token!");