diff --git a/server/http_test.go b/server/http_test.go
index 299623a5b603335511eb9c9e03b53c6938f1121d..e797c9d11ee755da1bfb4b44aa3213fb6ff20286 100644
--- a/server/http_test.go
+++ b/server/http_test.go
@@ -69,12 +69,12 @@ func startTestHTTPServer(t testing.TB) (string, *httptest.Server) {
 	return tmpdir, srv
 }
 
-func startTestHTTPServerWithKeyStore(t testing.TB) (string, *httptest.Server) {
+func startTestHTTPServerWithKeyStore(t testing.TB) (string, *httptest.Server, *fakeKeyStore) {
 	ks := createFakeKeyStore(t, "testuser", "password")
 
 	tmpdir, _ := ioutil.TempDir("", "")
 	config := testConfig(t, tmpdir, ks.URL)
-	return tmpdir, createTestHTTPServer(t, config)
+	return tmpdir, createTestHTTPServer(t, config), ks
 }
 
 func makeHTTPClient(dnsOverrides map[string]string, followExternalRedirects bool) *http.Client {
@@ -453,7 +453,13 @@ func TestHTTP_LoginOTP_Intermediate404(t *testing.T) {
 	doPostForm(t, c, httpSrv.URL+"/login/otp", v, checkRedirectToTargetService)
 }
 
-func createFakeKeyStore(t testing.TB, username, password string) *httptest.Server {
+type fakeKeyStore struct {
+	*httptest.Server
+	values map[string]string
+}
+
+func createFakeKeyStore(t testing.TB, username, password string) *fakeKeyStore {
+	values := make(map[string]string)
 	h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		if req.URL.Path != "/api/open" {
 			http.NotFound(w, req)
@@ -464,20 +470,18 @@ func createFakeKeyStore(t testing.TB, username, password string) *httptest.Serve
 			t.Errorf("bad JSON body: %v", err)
 			return
 		}
-		if openReq.Username != username {
-			t.Errorf("bad username in keystore Open request: expected %s, got %s", username, openReq.Username)
-		}
-		if openReq.Password != password {
-			t.Errorf("bad password in keystore Open request: expected %s, got %s", password, openReq.Password)
-		}
+		values[openReq.Username] = openReq.Password
 		w.Header().Set("Content-Type", "application/json")
 		io.WriteString(w, "{}") // nolint
 	})
-	return httptest.NewServer(h)
+	return &fakeKeyStore{
+		Server: httptest.NewServer(h),
+		values: values,
+	}
 }
 
 func TestHTTP_LoginWithKeyStore(t *testing.T) {
-	tmpdir, httpSrv := startTestHTTPServerWithKeyStore(t)
+	tmpdir, httpSrv, ks := startTestHTTPServerWithKeyStore(t)
 	defer os.RemoveAll(tmpdir)
 	defer httpSrv.Close()
 
@@ -497,6 +501,11 @@ func TestHTTP_LoginWithKeyStore(t *testing.T) {
 	v.Set("username", "testuser")
 	v.Set("password", "password")
 	doPostForm(t, c, httpSrv.URL+"/login", v, checkRedirectToTargetService)
+
+	// Verify that the keystore has been called.
+	if v := ks.values["testuser"]; v != "password" {
+		t.Fatalf("keystore not called as expected: ks_values=%+v", ks.values)
+	}
 }
 
 func TestHTTP_CORS(t *testing.T) {