diff --git a/oidcproxy.go b/oidcproxy.go
index c9e6a65e76a7a1b71ea20904530af5670f75db60..4da7c4e674256c36d5680c7ae58056209294844d 100644
--- a/oidcproxy.go
+++ b/oidcproxy.go
@@ -156,6 +156,11 @@ func (b *backendHandler) handleCallback(w http.ResponseWriter, r *http.Request)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
+	if !token.Valid() {
+		log.Printf("Received an invalid token from Exchange()")
+		http.Error(w, "Invalid token", http.StatusBadRequest)
+		return
+	}
 
 	// Extract the ID token and store it in our session.
 	rawIDToken := token.Extra("id_token").(string)