diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index ac56cbd3..9b0a6467 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -665,7 +665,10 @@ static int action_resize(void)
 		r = crypt_activate_by_token(cd, NULL, ARG_INT32(OPT_TOKEN_ID_ID), NULL,
 					    CRYPT_ACTIVATE_KEYRING_KEY);
 		tools_keyslot_msg(r, UNLOCKED);
-		if (r < 0 && ARG_SET(OPT_TOKEN_ONLY_ID))
+
+		if (r >= 0)
+			goto resize;
+		else if (ARG_SET(OPT_TOKEN_ONLY_ID))
 			goto out;
 
 		r = tools_get_key(NULL, &password, &passwordLen,
@@ -682,6 +685,7 @@ static int action_resize(void)
 		crypt_safe_free(password);
 	}
 
+resize:
 	if (ARG_UINT64(OPT_DEVICE_SIZE_ID))
 		dev_size = ARG_UINT64(OPT_DEVICE_SIZE_ID) / SECTOR_SIZE;
 	else
diff --git a/tests/compat-test2 b/tests/compat-test2
index c3852cd3..912be598 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -29,6 +29,7 @@ PWDW="rUkL4RUryBom"
 TEST_KEYRING_NAME="compattest2_keyring"
 TEST_TOKEN0="compattest2_desc0"
 TEST_TOKEN1="compattest2_desc1"
+TEST_TOKEN2="compattest2_desc2"
 VK_FILE="compattest2_vkfile"
 IMPORT_TOKEN="{\"type\":\"some_type\",\"keyslots\":[],\"base64_data\":\"zxI7vKB1Qwl4VPB4D-N-OgcC14hPCG0IDu8O7eCqaQ\"}"
 TOKEN_FILE0=test-token-file0
@@ -496,6 +497,18 @@ echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV || fai
 echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
 if dm_crypt_keyring_support; then
 	echo | $CRYPTSETUP -q resize --size 100 $DEV_NAME 2>/dev/null && fail
+	if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
+		test_and_prepare_keyring
+		load_key user $TEST_TOKEN2 $PWD1 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
+		$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN2 --token-id 1 || fail
+		$CRYPTSETUP -q resize --size 99 $DEV_NAME <&- || fail
+		$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "99 sectors" || fail
+		#replace kernel key with wrong pass
+		load_key user $TEST_TOKEN2 $PWD2 "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
+		# must fail due to --token-only
+		echo $PWD1 | $CRYPTSETUP -q resize --token-only --size 100 $DEV_NAME && fail
+		$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" && fail
+	fi
 fi
 echo $PWD1 | $CRYPTSETUP -q resize --size 100 $DEV_NAME || fail
 $CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "100 sectors" || fail