diff --git a/CHANGELOG.md b/CHANGELOG.md
index 93640d3e..bc77d326 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # CHANGELOG.md
 
 ## 0.40.0 (unreleased)
+ - OIDC login redirects now use HTTP 303 responses so POST submissions are converted to safe GET requests before reaching the identity provider, fixing incorrect reuse of the original POST (HTTP 307) that could break standard auth flows.
  - SQLPage now respects [HTTP accept headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept) for JSON. You can now easily process the contents of any existing sql page programmatically with:
     - `curl -H "Accept: application/json" http://example.com/page.sql`: returns a json array
     - `curl -H "Accept: application/x-ndjson" http://example.com/page.sql`: returns one json object per line.
diff --git a/src/webserver/oidc.rs b/src/webserver/oidc.rs
index 4d04077c..9d788581 100644
--- a/src/webserver/oidc.rs
+++ b/src/webserver/oidc.rs
@@ -488,14 +488,14 @@ async fn build_auth_provider_redirect_response(
 ) -> HttpResponse {
     let AuthUrl { url, params } = build_auth_url(oidc_state).await;
     let tmp_login_flow_state_cookie = create_tmp_login_flow_state_cookie(&params, initial_url);
-    HttpResponse::TemporaryRedirect()
+    HttpResponse::SeeOther()
         .append_header((header::LOCATION, url.to_string()))
         .cookie(tmp_login_flow_state_cookie)
         .body("Redirecting...")
 }
 
 fn build_redirect_response(target_url: String) -> HttpResponse {
-    HttpResponse::TemporaryRedirect()
+    HttpResponse::SeeOther()
         .append_header(("Location", target_url))
         .body("Redirecting...")
 }
@@ -835,3 +835,22 @@ fn validate_redirect_url(url: String) -> String {
     log::warn!("Refusing to redirect to {url}");
     '/'.to_string()
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use actix_web::http::StatusCode;
+
+    #[test]
+    fn login_redirects_use_see_other() {
+        let response = build_redirect_response("/foo".to_string());
+        assert_eq!(response.status(), StatusCode::SEE_OTHER);
+        let location = response
+            .headers()
+            .get(header::LOCATION)
+            .expect("missing location header")
+            .to_str()
+            .expect("invalid location header");
+        assert_eq!(location, "/foo");
+    }
+}