diff --git a/src/porchlight/oidc/endpoints.py b/src/porchlight/oidc/endpoints.py
index 25c5763..fe6e391 100644
--- a/src/porchlight/oidc/endpoints.py
+++ b/src/porchlight/oidc/endpoints.py
@@ -336,6 +336,9 @@ async def consent_submit(request: Request) -> Response:
         params = urlencode({"error": "access_denied", "state": state})
         return RedirectResponse(f"{redirect_uri}?{params}", status_code=303)
 
+    if action != "allow":
+        return HTMLResponse("<h1>Error</h1><p>Invalid action</p>", status_code=400)
+
     # Allow — collect approved scopes
     approved_scopes = form.getlist("scope")
     if "openid" not in approved_scopes:
@@ -357,4 +360,8 @@ async def consent_submit(request: Request) -> Response:
     except Exception as exc:
         return HTMLResponse(f"<h1>Error</h1><p>{exc}</p>", status_code=400)
 
+    if "error" in parsed:
+        error_desc = parsed.get("error_description", parsed["error"])
+        return HTMLResponse(f"<h1>Error</h1><p>{error_desc}</p>", status_code=400)
+
     return await _complete_authorization(request, oidc_server, endpoint, parsed, userid, username)