diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index c795268b3acad..9e7218c341a47 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -920,15 +920,16 @@ func claimsFromUserInfo(oidcClient *oidc.Client, issuerURL string, accessToken s
 	}
 	hc := oac.HttpClient()
 
-	// go get the provider config so we can find out where the UserInfo endpoint is
+	// go get the provider config so we can find out where the UserInfo endpoint
+	// is. if the provider doesn't offer a UserInfo endpoint return not found.
 	pc, err := oidc.FetchProviderConfig(oac.HttpClient(), issuerURL)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-	// If the provider doesn't offer a UserInfo endpoint don't err.
 	if pc.UserInfoEndpoint == nil {
-		return nil, nil
+		return nil, trace.NotFound("UserInfo endpoint not found")
 	}
+
 	endpoint := pc.UserInfoEndpoint.String()
 	err = isHTTPS(endpoint)
 	if err != nil {
@@ -996,14 +997,13 @@ func (a *AuthServer) getClaims(oidcClient *oidc.Client, issuerURL string, code s
 
 	userInfoClaims, err := claimsFromUserInfo(oidcClient, issuerURL, t.AccessToken)
 	if err != nil {
+		if trace.IsNotFound(err) {
+			log.Debugf("[OIDC] Provider doesn't offer UserInfo endpoint. Returning token claims: %v", idTokenClaims)
+			return idTokenClaims, nil
+		}
 		log.Debugf("[OIDC] Unable to fetch UserInfo claims: %v", err)
 		return nil, trace.Wrap(err)
 	}
-	if userInfoClaims == nil {
-		log.Warn("[OIDC] Provider doesn't offer UserInfo endpoint. Only token claims will be used.")
-		return idTokenClaims, nil
-	}
-
 	log.Debugf("[OIDC] UserInfo claims: %v", userInfoClaims)
 
 	// make sure that the subject in the userinfo claim matches the subject in