diff --git a/src/Authentication/Provider/SimpleOauthAuthenticationProvider.php b/src/Authentication/Provider/SimpleOauthAuthenticationProvider.php
index 99b34d4..b55b3ce 100644
--- a/src/Authentication/Provider/SimpleOauthAuthenticationProvider.php
+++ b/src/Authentication/Provider/SimpleOauthAuthenticationProvider.php
@@ -9,6 +9,7 @@ use Drupal\simple_oauth\PageCache\SimpleOauthRequestPolicyInterface;
 use Drupal\simple_oauth\Server\ResourceServerInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\HttpException;
 
 /**
  * @internal
@@ -77,7 +78,11 @@ class SimpleOauthAuthenticationProvider implements AuthenticationProviderInterfa
       // Procedural code here is hard to avoid.
       watchdog_exception('simple_oauth', $exception);
 
-      return NULL;
+      throw new HttpException(
+        $exception->getHttpStatusCode(),
+        $exception->getHint(),
+        $exception
+      );
     }
 
     $tokens = $this->entityTypeManager->getStorage('oauth2_token')->loadByProperties([
@@ -91,12 +96,18 @@ class SimpleOauthAuthenticationProvider implements AuthenticationProviderInterfa
     if ($account->isBlocked() && $account->isAuthenticated()) {
       $token->revoke();
       $token->save();
-      throw OAuthServerException::accessDenied(
+      $exception = OAuthServerException::accessDenied(
         t(
           '%name is blocked or has not been activated yet.',
           ['%name' => $account->getAccountName()]
         )
       );
+      watchdog_exception('simple_oauth', $exception);
+      throw new HttpException(
+        $exception->getHttpStatusCode(),
+        $exception->getHint(),
+        $exception
+      );
     }
 
     // Inherit uploaded files for the current request.
diff --git a/tests/src/Functional/RolesNegotiationFunctionalTest.php b/tests/src/Functional/RolesNegotiationFunctionalTest.php
index 0d55055..155839b 100644
--- a/tests/src/Functional/RolesNegotiationFunctionalTest.php
+++ b/tests/src/Functional/RolesNegotiationFunctionalTest.php
@@ -172,13 +172,8 @@ class RolesNegotiationFunctionalTest extends BrowserTestBase {
         ],
       ]
     );
-    $parsed_response = Json::decode((string) $response->getBody());
-    // The token was successfully removed. The negotiated user is the anonymous
-    // user.
-    $this->assertEquals(0, $parsed_response['id']);
-    $this->assertEquals(['anonymous'], $parsed_response['roles']);
-    $this->assertFalse($parsed_response['permissions']['view own simple_oauth entities']['access']);
-    $this->assertFalse($parsed_response['permissions']['administer simple_oauth entities']['access']);
+    // The token was successfully removed and we were denied access.
+    $this->assertEquals(401, $response->getStatusCode());
 
     // Request the access token again. This time the user doesn't have the role
     // requested at the time of generating the token.
@@ -237,12 +232,8 @@ class RolesNegotiationFunctionalTest extends BrowserTestBase {
         ],
       ]
     );
-    $parsed_response = Json::decode((string) $response->getBody());
-    // The token was successfully removed. The negotiated user is the anonymous
-    // user.
-    $this->assertEquals(0, $parsed_response['id']);
-    $this->assertEquals(['anonymous'], $parsed_response['roles']);
-    $this->assertFalse($parsed_response['permissions']['view own simple_oauth entities']['access']);
+    // The token was successfully removed and we were denied access.
+    $this->assertEquals(401, $response->getStatusCode());
 
     $access_token = $this->getAccessToken(['oof']);
     // Get detailed information about the authenticated user.