diff --git a/lib/sso_push_credential.rb b/lib/sso_push_credential.rb
index 5e6452e84..38093a4fa 100644
--- a/lib/sso_push_credential.rb
+++ b/lib/sso_push_credential.rb
@@ -9,6 +9,7 @@ def credentials(application)
       user.grant_application_permissions(application, PERMISSIONS)
 
       user.authorisations
+        .not_expired
         .create_with(expires_in: 10.years)
         .find_or_create_by!(application_id: application.id).token
     end
diff --git a/test/lib/sso_push_credential_test.rb b/test/lib/sso_push_credential_test.rb
index 869ccdec4..217d9b2f3 100644
--- a/test/lib/sso_push_credential_test.rb
+++ b/test/lib/sso_push_credential_test.rb
@@ -8,13 +8,12 @@ class SSOPushCredentialTest < ActiveSupport::TestCase
 
   context "given an already authorised application" do
     setup do
-      authorisation = @user.authorisations.create!(application_id: @application.id)
-      authorisation.update!(token: "foo")
+      @authorisation = @user.authorisations.create!(application_id: @application.id)
     end
 
     should "return the bearer token for an already-authorized application" do
       bearer_token = SSOPushCredential.credentials(@application)
-      assert_equal "foo", bearer_token
+      assert_equal @authorisation.token, bearer_token
     end
 
     should "create required application permissions if they do not already exist" do
@@ -38,6 +37,36 @@ class SSOPushCredentialTest < ActiveSupport::TestCase
     end
   end
 
+  context "given an application with a revoked authorisation" do
+    setup do
+      @user.authorisations.create!(application_id: @application.id, revoked_at: Time.current)
+    end
+
+    should "create a new authorisation to replace the revoked one" do
+      bearer_token = SSOPushCredential.credentials(@application)
+
+      new_authorisation = @user.authorisations.find_by(token: bearer_token)
+      assert_nil new_authorisation.revoked_at
+      assert_equal @application.id, new_authorisation.application_id
+    end
+  end
+
+  context "given an application with an expired authorisation" do
+    setup do
+      travel(-1.day) do
+        @user.authorisations.create!(application_id: @application.id, expires_in: 0)
+      end
+    end
+
+    should "create a new authorisation to replace the expired one" do
+      bearer_token = SSOPushCredential.credentials(@application)
+
+      new_authorisation = @user.authorisations.find_by(token: bearer_token)
+      assert new_authorisation.expires_at > Time.current
+      assert_equal @application.id, new_authorisation.application_id
+    end
+  end
+
   should "create an authorisation if one does not already exist" do
     assert_equal 0, @user.authorisations.count