diff --git a/core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php b/core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php
index c18d1da..843c109 100644
--- a/core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php
+++ b/core/tests/Drupal/Tests/Core/Form/FormBuilderTest.php
@@ -126,10 +126,16 @@ public function testGetFormIdWithBaseForm() {
 
   /**
    * Tests the prepareForm() method with a post request.
+   *
+   * You can explicitly remove form token checking by using #token = FALSE.
    */
   public function testPrepareFormPost() {
-    // By default the user is anonymous, so the form_token is ot emitted.
-    $this->formBuilder->setCurrentUser($this->account);
+    // The user is anonymous, so the form_token is not emitted.
+    $account = clone $this->account;
+    $account->expects($this->any())
+      ->method('isAuthenticated')
+      ->will($this->returnValue(FALSE));
+    $this->formBuilder->setCurrentUser($account);
     $form = array();
     $form_state = $this->formBuilder->getFormStateDefaults();
     $form = (new TestForm())->buildForm($form, $form_state);
@@ -139,7 +145,15 @@ public function testPrepareFormPost() {
     $this->assertTrue(isset($form['form_build_id']));
     $this->assertTrue(isset($form['form_id']));
     $this->assertFalse(isset($form['form_token']));
-    return;
+
+    // Now test with a mock authenticated user account. The form_token should
+    // now be present and all three hidden elements render by default, so
+    // the #access key is not set.
+    $account = clone $this->account;
+    $account->expects($this->any())
+      ->method('isAuthenticated')
+      ->will($this->returnValue(TRUE));
+    $this->formBuilder->setCurrentUser($account);
 
     $form = array();
     $form_state = $this->formBuilder->getFormStateDefaults();
@@ -154,7 +168,8 @@ public function testPrepareFormPost() {
     $this->assertTrue(isset($form['form_token']));
     $this->assertFalse(isset($form['form_token']['#access']));
 
-    // Make sure the form ID and build ID are still set even with no token.
+    // Make sure the form ID and build ID are still set even with no token,
+    // still with an authenticated user.
     $form = array();
     $form_state = $this->formBuilder->getFormStateDefaults();
     $form = (new TestForm())->buildForm($form, $form_state);
@@ -170,10 +185,13 @@ public function testPrepareFormPost() {
 
   /**
    * Tests the prepareForm() method with a get request with token checking.
-   *
-   * You can explicitly remove form token checking by using #token = FALSE.
    */
   public function testPrepareFormGetWithTokenChecking() {
+    // The user is anonymous, so the form_token is not emitted.
+    $account = clone $this->account;
+    $account->expects($this->any())
+      ->method('isAuthenticated')
+      ->will($this->returnValue(FALSE));
     $form = array();
     $form_state = array(
       'method' => 'get',
@@ -183,13 +201,41 @@ public function testPrepareFormGetWithTokenChecking() {
     $this->formBuilder->prepareForm('my_module_form_id', $form, $form_state);
 
     $this->assertEquals('get', $form['#method']);
+    $this->assertTrue(isset($form['form_build_id']));
+    $this->assertTrue(isset($form['form_id']));
+    $this->assertFalse(isset($form['form_token']));
+
+    // Now test with a mock authenticated user account. The form_token should
+    // now be present and all three hidden elements render by default, so
+    // the #access key is not set.
+    $account = clone $this->account;
+    $account->expects($this->any())
+      ->method('isAuthenticated')
+      ->will($this->returnValue(TRUE));
+    $this->formBuilder->setCurrentUser($account);
+
+    $form = array();
+    $form_state = array(
+      'method' => 'get',
+    );
+    $form_state += $this->formBuilder->getFormStateDefaults();
+    $form = (new TestForm())->buildForm($form, $form_state);
+    $this->formBuilder->prepareForm('my_module_form_id2', $form, $form_state);
+
+    $this->assertEquals('get', $form['#method']);
+    $this->assertTrue(isset($form['form_build_id']));
     $this->assertFalse(isset($form['form_build_id']['#access']));
+    $this->assertTrue(isset($form['form_id']));
     $this->assertFalse(isset($form['form_id']['#access']));
+    $this->assertTrue(isset($form['form_token']));
     $this->assertFalse(isset($form['form_token']['#access']));
   }
 
   /**
    * Tests the prepareForm() method with a get request without token checking.
+   *
+   * You can explicitly remove form token checking by using #token = FALSE or
+   * by setting $form_state['always_process'] = TRUE when using get.
    */
   public function testPrepareFormGetWithoutTokenChecking() {
     $form = array();