diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 86aa1b1d428bfa6049248e0c831a6e47c3baf7cf..6596cf334fd2e80e1ef7919db970aaba6e401944 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -145,8 +145,10 @@ behave-integration:
     GRAPHQL_URL: "http://172.17.0.6:5000/graphql" # 172.17.0.6 -> backend
     GIT_SUBMODULE_STRATEGY: "recursive"
     TESTUSER_USERNAME: "testuser"
+    TESTUSER_USERNAME2: "testuser2"
     TESTUSER_PASSWORD: "password"
     TESTUSER_EMAIL: "testuser@example.net"
+    TESTUSER_EMAIL2: "testuser2@example.net"
     DSN: "memory"
     SECRETS_SYSTEM: "youReallyNeedToChangeThis"
     OIDC_SUBJECT_TYPES_SUPPORTED: "public,pairwise"
@@ -166,11 +168,12 @@ behave-integration:
   script:
     - echo "WAIT FOR SERVICES TO INITIALIZE" && sleep 20
     - /bin/sh user-panel/utils/create-user.sh ${TESTUSER_USERNAME} ${TESTUSER_PASSWORD} ${TESTUSER_EMAIL} backend 5000
+    - /bin/sh user-panel/utils/create-user.sh ${TESTUSER_USERNAME2} ${TESTUSER_PASSWORD} ${TESTUSER_EMAIL2} backend 5000
     - /bin/sh user-panel/utils/create-application.sh ${KEY} backend 5000
     - /bin/sh user-panel/utils/grant-access.sh ${TESTUSER_USERNAME} ${KEY} backend 5000
     - /bin/sh test/create-hydra-client.sh ${KEY} ${SECRET} hydra 4445 http://oauth:5000/callback
     - cd test/login_logout/test/behave/
-    - python3 -m behave -D headless=True -D url=http://oauth:5000 -D logout_url=http://oauth:5000/logout -D username=${TESTUSER_USERNAME} -D password=${TESTUSER_PASSWORD}
+    - python3 -m behave -D headless=True -D url=http://oauth:5000 -D logout_url=http://oauth:5000/logout -D username=${TESTUSER_USERNAME} -D username2=${TESTUSER_USERNAME2} -D password=${TESTUSER_PASSWORD}
   artifacts:
     paths:
       - test/login_logout/test/behave/screenshots/
diff --git a/consent_provider/app.py b/consent_provider/app.py
index 8c1cc284bed3bc7d3bc9898fecac8cebbb75c8b5..177ca4ea39e26df64b5f216498a1d55cf6141af5 100644
--- a/consent_provider/app.py
+++ b/consent_provider/app.py
@@ -26,6 +26,11 @@ def home():
             grant_access_token_audience=consent_request.requested_access_token_audience,
             session=session,
             ))
+    else:
+        return redirect(consent_request.reject(
+            "Permission denied",
+            error_description="Login request was denied due to missing application permission")
+            )
     abort(400)
 
 if __name__ == '__main__':
diff --git a/test/login_logout/test/behave/features/environment.py b/test/login_logout/test/behave/features/environment.py
index 53dff843851bace237e8c45fd090486101d764d6..f60dbc8160b874a3d65a37de028fd55a76b8400e 100644
--- a/test/login_logout/test/behave/features/environment.py
+++ b/test/login_logout/test/behave/features/environment.py
@@ -40,6 +40,7 @@ def before_tag(context, tag):
     values['url'] = userdata.get('url')
     values['logout_url'] = userdata.get('logout_url')
     values['username'] = userdata.get('username')
+    values['username2'] = userdata.get('username2')
     values['password'] = userdata.get('password')
     assert values['url'], 'url variable missing in' \
         'userdata. Provide it with "-D url".'
diff --git a/test/login_logout/test/behave/features/login.feature b/test/login_logout/test/behave/features/login.feature
index b39728822ea56427a15fbe0c71ebba89274afc5b..f7a9cc0144e9272a0031b33252740e8b75732238 100644
--- a/test/login_logout/test/behave/features/login.feature
+++ b/test/login_logout/test/behave/features/login.feature
@@ -25,3 +25,18 @@ Scenario: Logout
     Then I wait on element "input#username" for 1000ms to be visible
     And I expect that element "input#password" is visible
     And I expect that element "input#submit" is visible
+
+Scenario: Login with a valid user without access to an application
+    Given I open the URL
+    Then I wait on element "input#username" for 1000ms to be visible
+    And I expect that element "input#password" is visible
+    And I expect that element "input#submit" is visible
+    When I enter the "username2" in the inputfield "input#username"
+    And I enter the "password" in the inputfield "input#password"
+    And I click on the button "input#submit"
+    Then I wait on element "input#password" for 1000ms to not exist
+    And I expect that element "input#username" does not exist
+    And I expect that the path is "/callback"
+    And I expect that element "body" contains the text "error"
+    And I expect that element "body" contains the text "Permission denied"
+    And I expect that element "body" contains the text "missing application permission"