diff --git a/middleware.go b/middleware.go
index 3d3bf5aca..ccf9bf0e1 100644
--- a/middleware.go
+++ b/middleware.go
@@ -197,7 +197,7 @@ func (r *oauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
 					// step: if the error post verification is anything other than a token
 					// expired error we immediately throw an access forbidden - as there is
 					// something messed up in the token
-					if err != ErrAccessTokenExpired {
+					if err != ErrAccessTokenExpired && !strings.Contains(err.Error(), "expected audience") {
 						r.log.Error("access token failed verification",
 							zap.String("client_ip", clientIP),
 							zap.Error(err))