diff --git a/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticationException.java b/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticationException.java
index 35835dd3089..a9319a0f887 100644
--- a/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticationException.java
+++ b/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticationException.java
@@ -19,7 +19,7 @@
  * @author Kevin Pollet
  * @author Igor Vinokur
  */
-public final class OAuthAuthenticationException extends ServerException {
+public class OAuthAuthenticationException extends ServerException {
 
   /**
    * Constructs an instance of {@link OAuthAuthenticationException}.
diff --git a/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticationService.java b/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticationService.java
index 8d32d9b8c20..3e68c0f656b 100644
--- a/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticationService.java
+++ b/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticationService.java
@@ -26,6 +26,7 @@
 import javax.ws.rs.Path;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriBuilder;
 import org.eclipse.che.api.core.BadRequestException;
 import org.eclipse.che.api.core.rest.Service;
 import org.eclipse.che.commons.env.EnvironmentContext;
@@ -43,7 +44,7 @@ public class OAuthAuthenticationService extends Service {
   private static final Logger LOG = LoggerFactory.getLogger(OAuthAuthenticationService.class);
 
   private static final String UNSUPPORTED_OAUTH_PROVIDER_ERROR = "Unsupported OAuth provider: %s";
-
+  private static final String ERROR_QUERY_NAME = "error_code";
   @Inject protected OAuthAuthenticatorProvider providers;
 
   @GET
@@ -74,9 +75,16 @@ public Response callback() throws OAuthAuthenticationException, BadRequestExcept
     final String providerName = getParameter(parameters, "oauth_provider");
     final String redirectAfterLogin = getParameter(parameters, "redirect_after_login");
 
-    getAuthenticator(providerName).callback(requestUrl);
+    UriBuilder redirectUriBuilder = UriBuilder.fromUri(redirectAfterLogin);
 
-    return Response.temporaryRedirect(URI.create(redirectAfterLogin)).build();
+    try {
+      getAuthenticator(providerName).callback(requestUrl);
+    } catch (UserDeniedOAuthAuthenticationException e) {
+      redirectUriBuilder.queryParam(ERROR_QUERY_NAME, "access_denied");
+    } catch (OAuthAuthenticationException e) {
+      redirectUriBuilder.queryParam(ERROR_QUERY_NAME, "invalid_request");
+    }
+    return Response.temporaryRedirect(redirectUriBuilder.build()).build();
   }
 
   @GET
diff --git a/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticator.java b/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticator.java
index d1f5a7bbb74..3d0300a1caf 100644
--- a/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticator.java
+++ b/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/OAuthAuthenticator.java
@@ -188,6 +188,11 @@ String callback(final URL requestUrl) throws OAuthAuthenticationException {
       getAccessToken.consumerKey = clientId;
       getAccessToken.temporaryToken = oauthTemporaryToken;
       getAccessToken.verifier = (String) callbackUrl.getFirst(OAUTH_VERIFIER_PARAM_KEY);
+
+      if ("denied".equals(getAccessToken.verifier)) {
+        throw new UserDeniedOAuthAuthenticationException("Authorization denied");
+      }
+
       getAccessToken.transport = httpTransport;
       if (signatureMethod != null && "rsa".equalsIgnoreCase(signatureMethod)) {
         getAccessToken.signer = getOAuthRsaSigner();
@@ -197,7 +202,6 @@ String callback(final URL requestUrl) throws OAuthAuthenticationException {
       }
 
       final OAuthCredentialsResponse credentials = getAccessToken.execute();
-
       String userId = getParameterFromState(state, USER_ID_PARAM_KEY);
 
       credentialsStoreLock.lock();
@@ -217,6 +221,8 @@ String callback(final URL requestUrl) throws OAuthAuthenticationException {
 
       return userId;
 
+    } catch (OAuthAuthenticationException e) {
+      throw e;
     } catch (Exception e) {
       throw new OAuthAuthenticationException(e.getMessage());
     }
diff --git a/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/UserDeniedOAuthAuthenticationException.java b/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/UserDeniedOAuthAuthenticationException.java
new file mode 100644
index 00000000000..545bae668f3
--- /dev/null
+++ b/wsmaster/che-core-api-auth/src/main/java/org/eclipse/che/security/oauth1/UserDeniedOAuthAuthenticationException.java
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2012-2018 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.che.security.oauth1;
+
+/** Exception used when a user denies access on the OAuth authorization page. */
+public final class UserDeniedOAuthAuthenticationException extends OAuthAuthenticationException {
+  public UserDeniedOAuthAuthenticationException(String message) {
+    super(message);
+  }
+
+  public UserDeniedOAuthAuthenticationException(Throwable cause) {
+    super(cause);
+  }
+}