diff --git a/adapter.ts b/adapter.ts
index adc0dcc..f9d0d2a 100644
--- a/adapter.ts
+++ b/adapter.ts
@@ -239,7 +239,10 @@ function oidcRedirectForCode(req: Request, prompt: string): Response {
   if (!host) throw ("missing host");
   if (!path) throw ("missing path");
 
-  const bundle = `path=${encodeURIComponent(path)}` +
+  const sanitizedPath = path.replace(/\/+/g, "/");
+  if (!sanitizedPath.match("^/")) throw ("invalid path");
+
+  const bundle = `path=${encodeURIComponent(sanitizedPath)}` +
     `&search=${encodeURIComponent(search)}` +
     `&hash=${encodeURIComponent(hash)}`;
   const target = `${KEYCLOAK_ORIGIN}/realms/${KEYCLOAK_REALM}` +
@@ -251,6 +254,7 @@ function oidcRedirectForCode(req: Request, prompt: string): Response {
   if (DEBUG) console.log(`oidcRedirectForCode prompt: ${prompt}`);
   if (DEBUG) console.log(`oidcRedirectForCode host: ${host}`);
   if (DEBUG) console.log(`oidcRedirectForCode path: ${path}`);
+  if (DEBUG) console.log(`oidcRedirectForCode sanitized: ${sanitizedPath}`);
   if (DEBUG) console.log(`oidcRedirectForCode search: ${search}`);
   if (DEBUG) console.log(`oidcRedirectForCode hash: ${hash}`);
   if (DEBUG) console.log(`oidcRedirectForCode bundle: ${bundle}`);
@@ -264,7 +268,11 @@ function oidcRedirectForCode(req: Request, prompt: string): Response {
 // Don't ask for a credential if auth fails
 // -----------------------------------------------------------------------------
 function redirect(req: Request): Response {
-  return oidcRedirectForCode(req, "none");
+  try {
+    return oidcRedirectForCode(req, "none");
+  } catch {
+    return unauthorized();
+  }
 }
 
 // -----------------------------------------------------------------------------
@@ -272,7 +280,11 @@ function redirect(req: Request): Response {
 // Ask for a credential if auth fails
 // -----------------------------------------------------------------------------
 function auth(req: Request): Response {
-  return oidcRedirectForCode(req, "login");
+  try {
+    return oidcRedirectForCode(req, "login");
+  } catch {
+    return unauthorized();
+  }
 }
 
 // -----------------------------------------------------------------------------