diff --git a/pkg/op/auth_request.go b/pkg/op/auth_request.go
index 2ebedb5..35e6521 100644
--- a/pkg/op/auth_request.go
+++ b/pkg/op/auth_request.go
@@ -2,6 +2,7 @@ package op
 
 import (
 	"context"
+	"fmt"
 	"net"
 	"net/http"
 	"net/url"
@@ -78,6 +79,14 @@ func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer) {
 			return
 		}
 	}
+	if authReq.ClientID == "" {
+		AuthRequestError(w, r, authReq, fmt.Errorf("auth request is missing client_id"), authorizer.Encoder())
+		return
+	}
+	if authReq.RedirectURI == "" {
+		AuthRequestError(w, r, authReq, fmt.Errorf("auth request is missing redirect_uri"), authorizer.Encoder())
+		return
+	}
 	validation := ValidateAuthRequest
 	if validater, ok := authorizer.(AuthorizeValidator); ok {
 		validation = validater.ValidateAuthRequest
@@ -378,6 +387,10 @@ func RedirectToLogin(authReqID string, client Client, w http.ResponseWriter, r *
 func AuthorizeCallback(w http.ResponseWriter, r *http.Request, authorizer Authorizer) {
 	params := mux.Vars(r)
 	id := params["id"]
+	if id == "" {
+		AuthRequestError(w, r, nil, fmt.Errorf("auth request callback is missing id"), authorizer.Encoder())
+		return
+	}
 
 	authReq, err := authorizer.Storage().AuthRequestByID(r.Context(), id)
 	if err != nil {
diff --git a/pkg/op/token_code.go b/pkg/op/token_code.go
index b21871e..185fad8 100644
--- a/pkg/op/token_code.go
+++ b/pkg/op/token_code.go
@@ -53,7 +53,7 @@ func ValidateAccessTokenRequest(ctx context.Context, tokenReq *oidc.AccessTokenR
 		return nil, nil, oidc.ErrInvalidGrant()
 	}
 	if !ValidateGrantType(client, oidc.GrantTypeCode) {
-		return nil, nil, oidc.ErrUnauthorizedClient()
+		return nil, nil, oidc.ErrUnauthorizedClient().WithDescription("client missing grant type " + string(oidc.GrantTypeCode))
 	}
 	if tokenReq.RedirectURI != authReq.GetRedirectURI() {
 		return nil, nil, oidc.ErrInvalidGrant().WithDescription("redirect_uri does not correspond")