diff --git a/clientapi/auth/sso/oauth2.go b/clientapi/auth/sso/oauth2.go
index d94320b5c..4d62ce3a6 100644
--- a/clientapi/auth/sso/oauth2.go
+++ b/clientapi/auth/sso/oauth2.go
@@ -136,6 +136,10 @@ func (p *oauth2IdentityProvider) getAccessToken(ctx context.Context, callbackURL
 	}
 	defer hresp.Body.Close() // nolint:errcheck
 
+	if hresp.StatusCode/100 != 2 {
+		return "", fmt.Errorf("OAuth2 access token request %q failed: %d %s", p.accessTokenURL, hresp.StatusCode, hresp.Status)
+	}
+
 	var resp oauth2TokenResponse
 	if err := json.NewDecoder(hresp.Body).Decode(&resp); err != nil {
 		return "", err
@@ -170,7 +174,7 @@ func (p *oauth2IdentityProvider) getUserInfo(ctx context.Context, accessToken st
 	if err != nil {
 		return "", "", "", err
 	}
-	hreq.Header.Set("Authorization", "token "+accessToken)
+	hreq.Header.Set("Authorization", "Bearer "+accessToken)
 	hreq.Header.Set("Accept", p.responseMimeType)
 
 	hresp, err := p.hc.Do(hreq)
@@ -179,6 +183,10 @@ func (p *oauth2IdentityProvider) getUserInfo(ctx context.Context, accessToken st
 	}
 	defer hresp.Body.Close() // nolint:errcheck
 
+	if hresp.StatusCode/100 != 2 {
+		return "", "", "", fmt.Errorf("OAuth2 user info request %q failed: %d %s", p.userInfoURL, hresp.StatusCode, hresp.Status)
+	}
+
 	body, err := ioutil.ReadAll(hresp.Body)
 	if err != nil {
 		return "", "", "", err
diff --git a/clientapi/auth/sso/oidc.go b/clientapi/auth/sso/oidc.go
index d8ff07faa..9d96c5cb6 100644
--- a/clientapi/auth/sso/oidc.go
+++ b/clientapi/auth/sso/oidc.go
@@ -138,6 +138,10 @@ func oidcDiscover(ctx context.Context, url string) (*oidcDiscovery, error) {
 	}
 	defer hresp.Body.Close() // nolint:errcheck
 
+	if hresp.StatusCode/100 != 2 {
+		return nil, fmt.Errorf("OIDC discovery request %q failed: %d %s", url, hresp.StatusCode, hresp.Status)
+	}
+
 	var disc oidcDiscovery
 	if err := json.NewDecoder(hresp.Body).Decode(&disc); err != nil {
 		return nil, fmt.Errorf("decoding OIDC discovery response from %q: %w", url, err)