diff --git a/keystoneclient/auth/identity/base.py b/keystoneclient/auth/identity/base.py
index 4b02f944b..172655d66 100644
--- a/keystoneclient/auth/identity/base.py
+++ b/keystoneclient/auth/identity/base.py
@@ -134,8 +134,11 @@ class BaseIdentityPlugin(base.BaseAuthPlugin):
                        invalidate. This means that it makes sense to try again.
                        If nothing happens returns False to indicate give up.
         """
-        self.auth_ref = None
-        return True
+        if self.auth_ref:
+            self.auth_ref = None
+            return True
+
+        return False
 
     def get_endpoint(self, session, service_type=None, interface=None,
                      region_name=None, service_name=None, version=None,
diff --git a/keystoneclient/tests/auth/test_identity_common.py b/keystoneclient/tests/auth/test_identity_common.py
index b8ff8da6a..371fd18ef 100644
--- a/keystoneclient/tests/auth/test_identity_common.py
+++ b/keystoneclient/tests/auth/test_identity_common.py
@@ -209,6 +209,18 @@ class CommonIdentityTests(object):
         s = session.Session(auth=a)
         self.assertIs(expired_auth_ref, a.get_access(s))
 
+    def test_invalidate(self):
+        a = self.create_auth_plugin()
+        s = session.Session(auth=a)
+
+        # trigger token fetching
+        s.get_token()
+
+        self.assertTrue(a.auth_ref)
+        self.assertTrue(a.invalidate())
+        self.assertIsNone(a.auth_ref)
+        self.assertFalse(a.invalidate())
+
 
 class V3(CommonIdentityTests, utils.TestCase):