diff --git a/integration-tests/authorize.test.ts b/integration-tests/authorize.test.ts
index 10a9475..0aaf30a 100644
--- a/integration-tests/authorize.test.ts
+++ b/integration-tests/authorize.test.ts
@@ -48,7 +48,10 @@ describe('Authorize', () => {
 
       when("I make a request to a secured page")
 
-      then("the response status should be {status}", 401)
+      then("the proxy should redirect me to $oidc_server_url/authorize", ({ resp, oauthServerUrl }) => {
+        assert(resp.statusCode === 303)
+        assert(resp.headers.location!.split('?')[0] === `${oauthServerUrl}/authorize`)
+      })
 
       and("session variable {varName} should be cleared", Session.RefreshToken)
     })
diff --git a/src/handlers/auth-access.ts b/src/handlers/auth-access.ts
index 49f6e23..8feb32b 100644
--- a/src/handlers/auth-access.ts
+++ b/src/handlers/auth-access.ts
@@ -26,10 +26,20 @@ export const auth_access: RequestHandler = async (ctx) => {
   const refreshToken = vars[Session.RefreshToken]
   if (refreshToken) {
     log.info?.(`authorize: refreshing token for user ${getCookie(Cookie.Username)}`)
-    const { idToken } = await refreshTokens(ctx, refreshToken)
 
-    exposeClaims(ctx, idToken)
-    return authorizeAccess(ctx, idToken, conf)
+    const tokenSet = await refreshTokens(ctx, refreshToken).catch(err => {
+      if (err.status === 401) {
+        // The refresh token probably just expired, so let's act like the user
+        // is unauthenticated.
+        log.info?.(`authorize: invalid refresh token: ${err.detail ?? err.message}`)
+      } else {
+        throw err
+      }
+    })
+    if (tokenSet) {
+      exposeClaims(ctx, tokenSet.idToken)
+      return authorizeAccess(ctx, tokenSet.idToken, conf)
+    }
   }
 
   if (isAnonymousAllowed(conf)) {
diff --git a/src/handlers/auth-pages.ts b/src/handlers/auth-pages.ts
index b43d93e..7ccc74e 100644
--- a/src/handlers/auth-pages.ts
+++ b/src/handlers/auth-pages.ts
@@ -53,9 +53,19 @@ export const auth_pages: RequestHandler = async (ctx) => {
   const refreshToken = vars[Session.RefreshToken]
   if (refreshToken) {
     log.info?.(`authorize: refreshing token for user ${getCookie(Cookie.Username)}`)
-    const { idToken } = await refreshTokens(ctx, refreshToken)
 
-    return await authorizeAccess(ctx, idToken, accessRule)
+    const tokenSet = await refreshTokens(ctx, refreshToken).catch(err => {
+      if (err.status === 401) {
+        // The refresh token probably just expired, so let's act like the user
+        // is unauthenticated.
+        log.info?.(`authorize: invalid refresh token: ${err.detail ?? err.message}`)
+      } else {
+        throw err
+      }
+    })
+    if (tokenSet) {
+      return await authorizeAccess(ctx, tokenSet.idToken, accessRule)
+    }
   }
 
   if (isAnonymousAllowed(accessRule)) {