diff --git a/oauthproxy.go b/oauthproxy.go
index dd2b58e9e..34afe728c 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -524,6 +524,11 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 
 	session, err := p.redeemCode(req.Host, req.Form.Get("code"))
 	if err != nil {
+		if err == providers.ErrPermissionDenied {
+			log.Printf("%s Permission Denied: user is unauthorized when redeeming token", remoteAddr)
+			p.ErrorPage(rw, 403, "Permission Denied", "Invalid Account")
+			return
+		}
 		log.Printf("%s error redeeming code %s", remoteAddr, err)
 		p.ErrorPage(rw, 500, "Internal Error", "Internal Error")
 		return
diff --git a/providers/providers.go b/providers/providers.go
index fb2e5fc51..ecec04d34 100644
--- a/providers/providers.go
+++ b/providers/providers.go
@@ -1,6 +1,8 @@
 package providers
 
 import (
+	"errors"
+
 	"github.com/bitly/oauth2_proxy/cookie"
 )
 
@@ -16,6 +18,9 @@ type Provider interface {
 	CookieForSession(*SessionState, *cookie.Cipher) (string, error)
 }
 
+// ErrPermissionDenied may be returned from Redeem() to indicate the user is not allowed to login.
+var ErrPermissionDenied = errors.New("permission denied")
+
 func New(provider string, p *ProviderData) Provider {
 	switch provider {
 	case "myusa":