diff --git a/common/models/user.js b/common/models/user.js
index 1e5d34d0..163a9bd9 100644
--- a/common/models/user.js
+++ b/common/models/user.js
@@ -1173,9 +1173,7 @@ module.exports = function(User) {
       {
         description: 'Change a user\'s password.',
         accepts: [
-          {arg: 'id', type: 'any',
-            http: ctx => ctx.req.accessToken && ctx.req.accessToken.userId,
-          },
+          {arg: 'id', type: 'any', http: getUserIdFromRequestContext},
           {arg: 'oldPassword', type: 'string', required: true, http: {source: 'form'}},
           {arg: 'newPassword', type: 'string', required: true, http: {source: 'form'}},
           {arg: 'options', type: 'object', http: 'optionsFromRequest'},
diff --git a/test/multiple-user-principal-types.test.js b/test/multiple-user-principal-types.test.js
index c6979e0e..a4123360 100644
--- a/test/multiple-user-principal-types.test.js
+++ b/test/multiple-user-principal-types.test.js
@@ -28,6 +28,7 @@ describe('Multiple users with custom principalType', function() {
     // create a local app object that does not share state with other tests
     app = loopback({localRegistry: true, loadBuiltinModels: true});
     app.set('_verifyAuthModelRelations', false);
+    app.set('remoting', {errorHandler: {debug: true, log: false}});
     app.dataSource('db', {connector: 'memory'});
 
     var userModelOptions = {
@@ -672,6 +673,51 @@ describe('Multiple users with custom principalType', function() {
     }
   });
 
+  describe('changePassword', () => {
+    let token;
+    beforeEach(givenTokenForOneUser);
+
+    it('changes password when the access token belongs to the user', () => {
+      return supertest(app)
+        .post('/OneUsers/change-password')
+        .set('Authorization', token.id)
+        .send({
+          oldPassword: commonCredentials.password,
+          newPassword: 'new-pass',
+        })
+        .expect(204)
+        .then(() => {
+          return supertest(app)
+            .post('/OneUsers/login')
+            .send({email: commonCredentials.email, password: 'new-pass'})
+            .expect(200);
+        });
+    });
+
+    it('fails when the access token belongs to a different user mode', () => {
+      debugger;
+      logServerErrorsOtherThan(403, app);
+      return supertest(app)
+        .post('/AnotherUsers/change-password')
+        .set('Authorization', token.id)
+        .send({
+          oldPassword: commonCredentials.password,
+          newPassword: 'new-pass',
+        })
+        .expect(403)
+        .then(() => {
+          return supertest(app)
+            .post('/AnotherUsers/login')
+            .send(commonCredentials)
+            .expect(200);
+        });
+    });
+
+    function givenTokenForOneUser() {
+      return OneUser.login(commonCredentials).then(t => token = t);
+    }
+  });
+
   // helpers
   function createUserModel(app, name, options) {
     var model = app.registry.createModel(Object.assign({name: name}, options));