diff --git a/handlers.go b/handlers.go
index 87b55b73..b8dfb948 100644
--- a/handlers.go
+++ b/handlers.go
@@ -139,6 +139,13 @@ func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Reque
 		return
 	}
 
+	// step: check the id token is valid
+	if err = verifyToken(r.client, token); err != nil {
+		r.log.Error("unable to verify the id token", zap.Error(err))
+		r.accessForbidden(w, req)
+		return
+	}
+
 	access, id, err := parseToken(resp.AccessToken)
 	if err == nil {
 		token = access
@@ -146,13 +153,6 @@ func (r *oauthProxy) oauthCallbackHandler(w http.ResponseWriter, req *http.Reque
 	} else {
 		r.log.Warn("unable to parse the access token, using id token only", zap.Error(err))
 	}
-
-	// step: check the access token is valid
-	if err = verifyToken(r.client, token); err != nil {
-		r.log.Error("unable to verify the id token", zap.Error(err))
-		r.accessForbidden(w, req)
-		return
-	}
 	accessToken := token.Encode()
 
 	// step: are we encrypting the access token?