diff --git a/server/impl/src/main/java/com/walmartlabs/concord/server/boot/filters/ConcordAuthenticatingFilter.java b/server/impl/src/main/java/com/walmartlabs/concord/server/boot/filters/ConcordAuthenticatingFilter.java
index 77768ea284..b986cff5a7 100644
--- a/server/impl/src/main/java/com/walmartlabs/concord/server/boot/filters/ConcordAuthenticatingFilter.java
+++ b/server/impl/src/main/java/com/walmartlabs/concord/server/boot/filters/ConcordAuthenticatingFilter.java
@@ -42,6 +42,7 @@
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import java.io.IOException;
@@ -147,6 +148,15 @@ protected boolean onLoginFailure(AuthenticationToken token, AuthenticationExcept
             s.logout();
         }
 
+        HttpSession session = ((HttpServletRequest) request).getSession(false);
+        if (session != null) {
+            session.invalidate();
+
+            // remove JSESSIONID cookie
+            HttpServletResponse resp = WebUtils.toHttp(response);
+            resp.addHeader("Set-Cookie", "JSESSIONID=; Path=/; HttpOnly");
+        }
+
         return super.onLoginFailure(token, e, request, response);
     }
 
diff --git a/server/plugins/oidc/src/main/java/com/walmartlabs/concord/server/plugins/oidc/OidcCallbackFilter.java b/server/plugins/oidc/src/main/java/com/walmartlabs/concord/server/plugins/oidc/OidcCallbackFilter.java
index 6ffe4c7138..28fdde61a0 100644
--- a/server/plugins/oidc/src/main/java/com/walmartlabs/concord/server/plugins/oidc/OidcCallbackFilter.java
+++ b/server/plugins/oidc/src/main/java/com/walmartlabs/concord/server/plugins/oidc/OidcCallbackFilter.java
@@ -20,11 +20,13 @@
  * =====
  */
 
+import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.web.util.WebUtils;
 import org.pac4j.core.config.Config;
 import org.pac4j.core.context.JEEContext;
 import org.pac4j.core.context.session.SessionStore;
 import org.pac4j.core.engine.CallbackLogic;
+import org.pac4j.core.exception.TechnicalException;
 import org.pac4j.core.util.Pac4jConstants;
 
 import javax.inject.Inject;
@@ -51,7 +53,7 @@ public OidcCallbackFilter(PluginConfiguration cfg,
 
     @Override
     @SuppressWarnings("unchecked")
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException {
         HttpServletRequest req = WebUtils.toHttp(request);
         HttpServletResponse resp = WebUtils.toHttp(response);
 
@@ -67,8 +69,12 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             postLoginUrl = cfg.getAfterLoginUrl();
         }
 
-        CallbackLogic<?, JEEContext> callback = pac4jConfig.getCallbackLogic();
-        callback.perform(context, pac4jConfig, pac4jConfig.getHttpActionAdapter(), postLoginUrl, true, false, true, OidcPluginModule.CLIENT_NAME);
+        try {
+            CallbackLogic<?, JEEContext> callback = pac4jConfig.getCallbackLogic();
+            callback.perform(context, pac4jConfig, pac4jConfig.getHttpActionAdapter(), postLoginUrl, true, false, true, OidcPluginModule.CLIENT_NAME);
+        } catch (TechnicalException e) {
+            throw new AuthorizationException("OIDC callback error: " + e.getMessage());
+        }
     }
 
     @Override