diff --git a/src/oidcserver.js b/src/oidcserver.js
index 42f9f04aa..d463eae32 100644
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -242,16 +242,16 @@ async function revokeByUsername(username) {
 async function consumeAuthCode(authCode) {
     assert.strictEqual(typeof authCode, 'string');
 
-    let userId = null;
+    let username = null;
     await StorageAdapter.updateData('AuthorizationCode', (data) => {
         const authData = data[authCode];
         if (authData) {
-            userId = authData.payload.accountId;
+            username = authData.payload.accountId;
             authData.consumed = true;
         }
     });
 
-    return userId;
+    return username;
 }
 
 // This exposed to run on a cron job
diff --git a/src/proxyauth.js b/src/proxyauth.js
index 661ff4c83..299e17c31 100644
--- a/src/proxyauth.js
+++ b/src/proxyauth.js
@@ -150,8 +150,9 @@ async function callback(req, res, next) {
 
     debug(`callback: with code ${req.query.code}`);
 
-    const userId = await oidcServer.consumeAuthCode(req.query.code);
-    if (userId) req.user = await users.get(userId);
+    const username = await oidcServer.consumeAuthCode(req.query.code);
+    if (!username) return next(new HttpError(400, 'invalid "code"'));
+    req.user = await users.getByUsername(username);
 
     next();
 }