diff --git a/cmd/server/handler_oauth2_factory.go b/cmd/server/handler_oauth2_factory.go
index 37b9b47061..405bf00d6e 100644
--- a/cmd/server/handler_oauth2_factory.go
+++ b/cmd/server/handler_oauth2_factory.go
@@ -195,6 +195,7 @@ func newOAuth2Handler(c *config.Config, frontend, backend *httprouter.Router, cm
 		OpenIDJWTStrategy:      openIDJWTStrategy,
 		AccessTokenJWTStrategy: accessTokenJWTStrategy,
 		IDTokenLifespan:        c.GetIDTokenLifespan(),
+		ShareOAuth2Debug:       c.SendOAuth2DebugMessagesToClients,
 	}
 
 	handler.SetRoutes(frontend, backend)
diff --git a/oauth2/handler.go b/oauth2/handler.go
index 3d7c7ab1d7..7fbbc31f8e 100644
--- a/oauth2/handler.go
+++ b/oauth2/handler.go
@@ -638,8 +638,13 @@ func (h *Handler) writeAuthorizeError(w http.ResponseWriter, ar fosite.Authorize
 		query := redirectURI.Query()
 		query.Add("error", rfcerr.Name)
 		query.Add("error_description", rfcerr.Description)
-		redirectURI.RawQuery = query.Encode()
+		query.Add("error_hint", rfcerr.Hint)
+
+		if h.ShareOAuth2Debug {
+			query.Add("error_debug", rfcerr.Debug)
+		}
 
+		redirectURI.RawQuery = query.Encode()
 		w.Header().Add("Location", redirectURI.String())
 		w.WriteHeader(http.StatusFound)
 		return
diff --git a/oauth2/handler_struct.go b/oauth2/handler_struct.go
index 37a1c6e2d9..4a1c387bea 100644
--- a/oauth2/handler_struct.go
+++ b/oauth2/handler_struct.go
@@ -59,4 +59,6 @@ type Handler struct {
 	ClaimsSupported  string
 	ScopesSupported  string
 	UserinfoEndpoint string
+
+	ShareOAuth2Debug bool
 }