diff --git a/.gitignore b/.gitignore
index a5f59b4e..aff7b5b3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,7 @@ release
 # Folders
 _obj
 _test
+.idea/
 
 # Architecture specific extensions/prefixes
 *.[568vq]
diff --git a/.travis.yml b/.travis.yml
index 7fb4bce2..ef8aa3ec 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,5 @@
 language: go
 go:
-  - 1.12.x
   - 1.13.x
 install:
   # Fetch dependencies
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7687dd3d..a5657c40 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,16 @@
 # Vx.x.x (Pre-release)
 
 ## Changes since v4.0.0
-
+- [#292](https://github.com/pusher/oauth2_proxy/pull/292) Added bash >= 4.0 dependency to configure script (@jmfrank63)
 - [#227](https://github.com/pusher/oauth2_proxy/pull/227) Add Keycloak provider (@Ofinka)
+- [#259](https://github.com/pusher/oauth2_proxy/pull/259) Redirect to HTTPS (@jmickey)
 - [#273](https://github.com/pusher/oauth2_proxy/pull/273) Support Go 1.13 (@dio)
 - [#275](https://github.com/pusher/oauth2_proxy/pull/275) docker: build from debian buster (@syscll)
+- [#258](https://github.com/pusher/oauth2_proxy/pull/258) Add IDToken for Azure provider
+  - This PR adds the IDToken into the session for the Azure provider allowing requests to a backend to be identified as a specific user. As a consequence, if you are using a cookie to store the session the cookie will now exceed the 4kb size limit and be split into multiple cookies. This can cause problems when using nginx as a proxy, resulting in no cookie being passed at all. Either increase the proxy_buffer_size in nginx or implement the redis session storage (see https://pusher.github.io/oauth2_proxy/configuration#redis-storage)
+- [#286](https://github.com/pusher/oauth2_proxy/pull/286) Requests.go updated with useful error messages (@biotom)
+- [#302](https://github.com/pusher/oauth2_proxy/pull/302) Rewrite dist script (@syscll)
+- [#304](https://github.com/pusher/oauth2_proxy/pull/304) Add new Logo! :tada: (@JoelSpeed)
 - [#265](https://github.com/pusher/oauth2_proxy/pull/265) Add upstream with static response (@cgroschupp)
 
 # v4.0.0
diff --git a/Makefile b/Makefile
index 18283f94..f0f83b44 100644
--- a/Makefile
+++ b/Makefile
@@ -61,29 +61,4 @@ test: lint
 
 .PHONY: release
 release: lint test
-	mkdir release
-	mkdir release/$(BINARY)-$(VERSION).darwin-amd64.$(GO_VERSION)
-	mkdir release/$(BINARY)-$(VERSION).linux-amd64.$(GO_VERSION)
-	mkdir release/$(BINARY)-$(VERSION).linux-arm64.$(GO_VERSION)
-	mkdir release/$(BINARY)-$(VERSION).linux-armv6.$(GO_VERSION)
-	mkdir release/$(BINARY)-$(VERSION).windows-amd64.$(GO_VERSION)
-	GO111MODULE=on GOOS=darwin GOARCH=amd64 go build -ldflags="-X main.VERSION=${VERSION}" \
-		-o release/$(BINARY)-$(VERSION).darwin-amd64.$(GO_VERSION)/$(BINARY) github.com/pusher/oauth2_proxy
-	GO111MODULE=on GOOS=linux GOARCH=amd64 go build -ldflags="-X main.VERSION=${VERSION}" \
-		-o release/$(BINARY)-$(VERSION).linux-amd64.$(GO_VERSION)/$(BINARY) github.com/pusher/oauth2_proxy
-	GO111MODULE=on GOOS=linux GOARCH=arm64 go build -ldflags="-X main.VERSION=${VERSION}" \
-		-o release/$(BINARY)-$(VERSION).linux-arm64.$(GO_VERSION)/$(BINARY) github.com/pusher/oauth2_proxy
-	GO111MODULE=on GOOS=linux GOARCH=arm GOARM=6 go build -ldflags="-X main.VERSION=${VERSION}" \
-		-o release/$(BINARY)-$(VERSION).linux-armv6.$(GO_VERSION)/$(BINARY) github.com/pusher/oauth2_proxy
-	GO111MODULE=on GOOS=windows GOARCH=amd64 go build -ldflags="-X main.VERSION=${VERSION}" \
-		-o release/$(BINARY)-$(VERSION).windows-amd64.$(GO_VERSION)/$(BINARY) github.com/pusher/oauth2_proxy
-	shasum -a 256 release/$(BINARY)-$(VERSION).darwin-amd64.$(GO_VERSION)/$(BINARY) > release/$(BINARY)-$(VERSION).darwin-amd64-sha256sum.txt
-	shasum -a 256 release/$(BINARY)-$(VERSION).linux-amd64.$(GO_VERSION)/$(BINARY) > release/$(BINARY)-$(VERSION).linux-amd64-sha256sum.txt
-	shasum -a 256 release/$(BINARY)-$(VERSION).linux-arm64.$(GO_VERSION)/$(BINARY) > release/$(BINARY)-$(VERSION).linux-arm64-sha256sum.txt
-	shasum -a 256 release/$(BINARY)-$(VERSION).linux-armv6.$(GO_VERSION)/$(BINARY) > release/$(BINARY)-$(VERSION).linux-armv6-sha256sum.txt
-	shasum -a 256 release/$(BINARY)-$(VERSION).windows-amd64.$(GO_VERSION)/$(BINARY) > release/$(BINARY)-$(VERSION).windows-amd64-sha256sum.txt
-	tar -C release -czvf release/$(BINARY)-$(VERSION).darwin-amd64.$(GO_VERSION).tar.gz $(BINARY)-$(VERSION).darwin-amd64.$(GO_VERSION)
-	tar -C release -czvf release/$(BINARY)-$(VERSION).linux-amd64.$(GO_VERSION).tar.gz $(BINARY)-$(VERSION).linux-amd64.$(GO_VERSION)
-	tar -C release -czvf release/$(BINARY)-$(VERSION).linux-arm64.$(GO_VERSION).tar.gz $(BINARY)-$(VERSION).linux-arm64.$(GO_VERSION)
-	tar -C release -czvf release/$(BINARY)-$(VERSION).linux-armv6.$(GO_VERSION).tar.gz $(BINARY)-$(VERSION).linux-armv6.$(GO_VERSION)
-	tar -C release -czvf release/$(BINARY)-$(VERSION).windows-amd64.$(GO_VERSION).tar.gz $(BINARY)-$(VERSION).windows-amd64.$(GO_VERSION)
+	BINARY=${BINARY} VERSION=${VERSION} ./dist.sh
diff --git a/README.md b/README.md
index ad88331c..daae04cc 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,9 @@
-# oauth2_proxy
+![OAuth2 Proxy](/docs/logos/OAuth2_Proxy_horizontal.svg)
+
+[![Build Status](https://secure.travis-ci.org/pusher/oauth2_proxy.svg?branch=master)](http://travis-ci.org/pusher/oauth2_proxy)
+[![Go Report Card](https://goreportcard.com/badge/github.com/pusher/oauth2_proxy)](https://goreportcard.com/report/github.com/pusher/oauth2_proxy)
+[![GoDoc](https://godoc.org/github.com/pusher/oauth2_proxy?status.svg)](https://godoc.org/github.com/pusher/oauth2_proxy)
+[![MIT licensed](https://img.shields.io/badge/license-MIT-blue.svg)](./LICENSE)
 
 A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others)
 to validate accounts by email, domain or group.
@@ -7,8 +12,6 @@ to validate accounts by email, domain or group.
 Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork.
 A list of changes can be seen in the [CHANGELOG](CHANGELOG.md).
 
-[![Build Status](https://secure.travis-ci.org/pusher/oauth2_proxy.svg?branch=master)](http://travis-ci.org/pusher/oauth2_proxy)
-
 ![Sign In Page](https://cloud.githubusercontent.com/assets/45028/4970624/7feb7dd8-6886-11e4-93e0-c9904af44ea8.png)
 
 ## Installation
diff --git a/configure b/configure
index 26db8fea..10af15e6 100755
--- a/configure
+++ b/configure
@@ -5,6 +5,10 @@ GREEN='\033[0;32m'
 BLUE='\033[0;34m'
 NC='\033[0m'
 
+if [ -z "${BASH_VERSINFO}" ] || [ -z "${BASH_VERSINFO[0]}" ] || [ ${BASH_VERSINFO[0]} -lt 4 ]; then 
+  echo "This script requires Bash version >= 4"; exit 1; 
+fi
+
 declare -A tools=()
 declare -A desired=()
 
diff --git a/dist.sh b/dist.sh
index a00318bb..e5be8180 100755
--- a/dist.sh
+++ b/dist.sh
@@ -1,45 +1,46 @@
-#!/bin/bash
-# build binary distributions for linux/amd64 and darwin/amd64
-set -e
+#!/usr/bin/env bash
 
-DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-echo "working dir $DIR"
-mkdir -p $DIR/dist
-dep ensure || exit 1
+set -o errexit
 
-os=$(go env GOOS)
-arch=$(go env GOARCH)
-version=$(cat $DIR/version.go | grep "const VERSION" | awk '{print $NF}' | sed 's/"//g')
-goversion=$(go version | awk '{print $3}')
-sha256sum=()
-
-echo "... running tests"
-./test.sh
-
-for os in windows linux darwin; do
-    echo "... building v$version for $os/$arch"
-    EXT=
-    if [ $os = windows ]; then
-        EXT=".exe"
-    fi
-    BUILD=$(mktemp -d ${TMPDIR:-/tmp}/oauth2_proxy.XXXXXX)
-    TARGET="oauth2_proxy-$version.$os-$arch.$goversion"
-    FILENAME="oauth2_proxy-$version.$os-$arch$EXT"
-    GOOS=$os GOARCH=$arch CGO_ENABLED=0 \
-        go build -ldflags="-s -w" -o $BUILD/$TARGET/$FILENAME || exit 1
-    pushd $BUILD/$TARGET
-    sha256sum+=("$(shasum -a 256 $FILENAME || exit 1)")
-    cd .. && tar czvf $TARGET.tar.gz $TARGET
-    mv $TARGET.tar.gz $DIR/dist
-    popd
-done
-
-checksum_file="sha256sum.txt"
-cd $DIR/dist
-if [ -f $checksum_file ]; then
-    rm $checksum_file
+if [[ -z ${BINARY} ]] || [[ -z ${VERSION} ]]; then
+	echo "Missing required env var: BINARY=X VERSION=X $(basename $0)"
+	exit 1
 fi
-touch $checksum_file
-for checksum in "${sha256sum[@]}"; do
-    echo "$checksum" >> $checksum_file
+
+# Check for Go version 1.13.*
+GO_VERSION=$(go version | awk '{print $3}')
+if [[ ! "${GO_VERSION}" =~ ^go1.13.* ]]; then
+	echo "Go version must be >= go1.13"
+	exit 1
+fi
+
+ARCHS=(darwin-amd64 linux-amd64 linux-arm64 linux-armv6 windows-amd64)
+
+mkdir -p release
+
+# Create architecture specific release dirs
+for ARCH in "${ARCHS[@]}"; do
+	mkdir -p release/${BINARY}-${VERSION}.${ARCH}.${GO_VERSION}
+
+	GO_OS=$(echo $ARCH | awk -F- '{print $1}')
+	GO_ARCH=$(echo $ARCH | awk -F- '{print $2}')
+
+	# Create architecture specific binaries
+	if [[ ${GO_ARCH} == "armv6" ]]; then
+		GO111MODULE=on GOOS=${GO_OS} GOARCH=arm GOARM=6 go build -ldflags="-X main.VERSION=${VERSION}" \
+			-o release/${BINARY}-${VERSION}.${ARCH}.${GO_VERSION}/${BINARY} github.com/pusher/oauth2_proxy
+	else
+		GO111MODULE=on GOOS=${GO_OS} GOARCH=${GO_ARCH} go build -ldflags="-X main.VERSION=${VERSION}" \
+			-o release/${BINARY}-${VERSION}.${ARCH}.${GO_VERSION}/${BINARY} github.com/pusher/oauth2_proxy
+	fi
+
+	cd release
+
+	# Create sha256sum for architecture specific binary
+	shasum -a 256 ${BINARY}-${VERSION}.${ARCH}.${GO_VERSION}/${BINARY} > ${BINARY}-${VERSION}.${ARCH}-sha256sum.txt
+
+	# Create tar file for architecture specific binary
+	tar -czvf ${BINARY}-${VERSION}.${ARCH}.${GO_VERSION}.tar.gz ${BINARY}-${VERSION}.${ARCH}.${GO_VERSION}
+
+	cd ..
 done
diff --git a/docs/0_index.md b/docs/0_index.md
index 376bd754..e0e3227d 100644
--- a/docs/0_index.md
+++ b/docs/0_index.md
@@ -5,7 +5,7 @@ permalink: /
 nav_order: 0
 ---
 
-# oauth2_proxy
+![OAuth2 Proxy](/logos/OAuth2_Proxy_horizontal.svg)
 
 A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others)
 to validate accounts by email, domain or group.
diff --git a/docs/1_installation.md b/docs/1_installation.md
index 9eb3939f..8ed72b81 100644
--- a/docs/1_installation.md
+++ b/docs/1_installation.md
@@ -9,7 +9,7 @@ nav_order: 1
 
 1.  Choose how to deploy:
 
-    a. Download [Prebuilt Binary](https://github.com/pusher/oauth2_proxy/releases) (current release is `v3.2.0`)
+    a. Download [Prebuilt Binary](https://github.com/pusher/oauth2_proxy/releases) (current release is `v4.0.0`)
 
     b. Build with `$ go get github.com/pusher/oauth2_proxy` which will put the binary in `$GOROOT/bin`
 
@@ -18,8 +18,8 @@ nav_order: 1
 Prebuilt binaries can be validated by extracting the file and verifying it against the `sha256sum.txt` checksum file provided for each release starting with version `v3.0.0`.
 
 ```
-sha256sum -c sha256sum.txt 2>&1 | grep OK
-oauth2_proxy-3.2.0.linux-amd64: OK
+$ sha256sum -c sha256sum.txt 2>&1 | grep OK
+oauth2_proxy-4.0.0.linux-amd64: OK
 ```
 
 2.  [Select a Provider and Register an OAuth Application with a Provider](auth-configuration)
diff --git a/docs/2_auth.md b/docs/2_auth.md
index 04e63292..991bbae2 100644
--- a/docs/2_auth.md
+++ b/docs/2_auth.md
@@ -81,6 +81,8 @@ Note: The user is checked against the group members list on initial authenticati
    --client-secret=<value from step 6>
 ```
 
+Note: When using the Azure Auth provider with nginx and the cookie session store you may find the cookie is too large and doesn't get passed through correctly. Increasing the proxy_buffer_size in nginx or implementing the [redis session storage](configuration#redis-storage) should resolve this.
+
 ### Facebook Auth Provider
 
 1.  Create a new FB App from <https://developers.facebook.com/>
diff --git a/docs/_config.yml b/docs/_config.yml
index 87f026c8..a53e9e14 100644
--- a/docs/_config.yml
+++ b/docs/_config.yml
@@ -14,6 +14,7 @@
 # You can create any custom variable you would like, and they will be accessible
 # in the templates via {{ site.myvariable }}.
 title: OAuth2_Proxy
+logo: /logos/OAuth2_Proxy_horizontal.svg
 description: >- # this means to ignore newlines until "baseurl:"
   OAuth2_Proxy documentation site
 baseurl: "/oauth2_proxy" # the subpath of your site, e.g. /blog
diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md
index ffe1be42..158ad3bd 100644
--- a/docs/configuration/configuration.md
+++ b/docs/configuration/configuration.md
@@ -44,6 +44,7 @@ An example [oauth2_proxy.cfg]({{ site.gitweb }}/contrib/oauth2_proxy.cfg.example
 | `-extra-jwt-issuers` | string | if `-skip-jwt-bearer-tokens` is set, a list of extra JWT `issuer=audience` pairs (where the issuer URL has a `.well-known/openid-configuration` or a `.well-known/jwks.json`) | |
 | `-exclude-logging-paths` | string | comma separated list of paths to exclude from logging, eg: `"/ping,/path2"` |`""` (no paths excluded) |
 | `-flush-interval` | duration | period between flushing response buffers when streaming responses | `"1s"` |
+| `-force-https` | bool | enforce https redirect | `false` |
 | `-banner` | string | custom banner string. Use `"-"` to disable default banner. | |
 | `-footer` | string | custom footer string. Use `"-"` to disable default footer. | |
 | `-gcp-healthchecks` | bool | will enable `/liveness_check`, `/readiness_check`, and `/` (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses | false |
@@ -116,7 +117,7 @@ See below for provider specific options
 
 ### Upstreams Configuration
 
-`oauth2_proxy` supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as `http://127.0.0.1:8080/` for the upstream parameter, that will forward all authenticated requests to be forwarded to the upstream server. If you instead provide `http://127.0.0.1:8080/some/path/` then it will only be requests that start with `/some/path/` which are forwarded to the upstream.
+`oauth2_proxy` supports having multiple upstreams, and has the option to pass requests on to HTTP(S) servers or serve static files from the file system. HTTP and HTTPS upstreams are configured by providing a URL such as `http://127.0.0.1:8080/` for the upstream parameter, this will forward all authenticated requests to the upstream server. If you instead provide `http://127.0.0.1:8080/some/path/` then it will only be requests that start with `/some/path/` which are forwarded to the upstream.
 
 Static file paths are configured as a file:// URL. `file:///var/www/static/` will serve the files from that directory at `http://[oauth2_proxy url]/var/www/static/`, which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at. `file:///var/www/static/#/static/` will ie. make `/var/www/static/` available at `http://[oauth2_proxy url]/static/`.
 
diff --git a/docs/logos/OAuth2_Proxy_horizontal.png b/docs/logos/OAuth2_Proxy_horizontal.png
new file mode 100644
index 00000000..1020c52d
Binary files /dev/null and b/docs/logos/OAuth2_Proxy_horizontal.png differ
diff --git a/docs/logos/OAuth2_Proxy_horizontal.svg b/docs/logos/OAuth2_Proxy_horizontal.svg
new file mode 100644
index 00000000..4df740f6
--- /dev/null
+++ b/docs/logos/OAuth2_Proxy_horizontal.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 840.55645 412.45904"><defs><style>.cls-1{fill:#333;}.cls-2{fill:#7c7c82;}.cls-3{fill:#06ed94;}.cls-4{fill:#059b61;}.cls-5{fill:#1957ba;}.cls-6{fill:#6ca8ff;}</style></defs><title>OAuth2_Proxy_logo_v3</title><path class="cls-1" d="M474.20933,196.63116a41.46679,41.46679,0,0,1-16.33506-3.18964,39.80757,39.80757,0,0,1-21.67092-21.83518,42.99409,42.99409,0,0,1,0-32.23,39.80765,39.80765,0,0,1,21.67092-21.83518,43.41665,43.41665,0,0,1,32.67012,0,39.8101,39.8101,0,0,1,21.66989,21.83518,42.994,42.994,0,0,1,0,32.23,39.81,39.81,0,0,1-21.66989,21.83518A41.485,41.485,0,0,1,474.20933,196.63116Zm0-14.07985a26.63714,26.63714,0,0,0,10.28431-1.9799,25.89889,25.89889,0,0,0,8.36072-5.50012,25.04229,25.04229,0,0,0,5.60963-8.525,31.04294,31.04294,0,0,0,0-22.11,25.07963,25.07963,0,0,0-5.60963-8.52549,25.9145,25.9145,0,0,0-8.36072-5.49961,27.6962,27.6962,0,0,0-20.56965,0,25.89233,25.89233,0,0,0-8.36072,5.49961,25.03434,25.03434,0,0,0-5.60962,8.52549,31.04279,31.04279,0,0,0,0,22.11,24.99714,24.99714,0,0,0,5.60962,8.525,25.87675,25.87675,0,0,0,8.36072,5.50012A26.63112,26.63112,0,0,0,474.20933,182.55131Z"/><path class="cls-1" d="M548.12931,116.11083h16.94044l29.59051,78.76048H578.26942L571.77961,176.061H541.41945l-6.48981,18.81033H518.53983Zm18.81032,46.3104-7.03941-19.69-2.8606-9.56994h-.88018l-2.85957,9.56994-7.04044,19.69Z"/><path class="cls-1" d="M636.67873,187.83138h-.88019a18.26469,18.26469,0,0,1-6.82039,6.43506,19.94541,19.94541,0,0,1-9.78947,2.36472q-10.23059,0-15.23483-6.26977-5.00682-6.27052-5.00527-16.7204V140.97087H613.359v30.91027q0,5.832,2.58477,8.635,2.58321,2.80482,7.53425,2.80533a10.50006,10.50006,0,0,0,5.22532-1.265,12.21407,12.21407,0,0,0,3.85029-3.41019,15.44293,15.44293,0,0,0,2.41947-5.06,22.69746,22.69746,0,0,0,.82543-6.215V140.97087H650.209v53.90044H636.67873Z"/><path class="cls-1" d="M669.01723,153.29138h-9.461V140.97087h9.461V124.471h14.4094v16.49984h13.2007v12.32051h-13.2007V174.829a15.54561,15.54561,0,0,0,.38534,3.57135,5.7936,5.7936,0,0,0,1.48454,2.77744,5.44914,5.44914,0,0,0,4.39988,1.81357,8.00547,8.00547,0,0,0,5.06-1.4303l4.07034,12.65007a23.83924,23.83924,0,0,1-5.44434,1.81512,31.8029,31.8029,0,0,1-6.43505.60487,19.66528,19.66528,0,0,1-7.31524-1.29084,15.54151,15.54151,0,0,1-5.44537-3.53675q-5.17107-5.05331-5.16953-14.37272Z"/><path class="cls-1" d="M707.735,116.11083h14.4094v22.1105l-.87915,9.79h.87915a17.85447,17.85447,0,0,1,6.65511-6.325,19.31492,19.31492,0,0,1,9.73574-2.47526q10.44909,0,15.45488,6.16026,5.00371,6.16128,5.00527,16.8299v32.67013H744.585V163.961q0-5.60962-2.64055-8.525a9.44018,9.44018,0,0,0-7.37-2.91484,10.82482,10.82482,0,0,0-5.28007,1.265,11.76092,11.76092,0,0,0-3.904,3.465,16.09429,16.09429,0,0,0-2.4205,5.11478,22.748,22.748,0,0,0-.82544,6.215v26.29034H707.735Z"/><path class="cls-1" d="M769.77353,194.87131V181.78115q6.48979-6.37824,11.98992-11.87991,2.31048-2.3097,4.73048-4.73,2.4174-2.41818,4.50939-4.50991,2.08888-2.08889,3.74078-3.795,1.6488-1.70458,2.53-2.69531,1.75726-2.08811,3.13436-3.73975a18.16413,18.16413,0,0,0,2.20046-3.24542,16.47472,16.47472,0,0,0,1.26449-3.18963,13.02445,13.02445,0,0,0,.44009-3.465,8.4276,8.4276,0,0,0-2.85956-6.325,10.93308,10.93308,0,0,0-7.81009-2.6953q-4.951,0-7.70058,2.80533a14.59773,14.59773,0,0,0-3.73975,6.325l-13.09015-5.3901a24.55547,24.55547,0,0,1,2.8606-6.105,22.76637,22.76637,0,0,1,5.06-5.61014,26.44875,26.44875,0,0,1,7.31421-4.07034,26.86184,26.86184,0,0,1,9.5157-1.59456,29.71878,29.71878,0,0,1,10.3401,1.70458,23.00883,23.00883,0,0,1,7.81008,4.67521,20.92923,20.92923,0,0,1,4.94949,6.98517,21.28551,21.28551,0,0,1,1.76037,8.635,25.00612,25.00612,0,0,1-3.465,12.92486,56.87664,56.87664,0,0,1-8.41546,10.945l-9.45992,9.46043q-3.74077,3.74077-8.47022,8.35968l.44009.66014h30.4707v12.65007Z"/><path class="cls-2" d="M447.03623,265.05824v31.9h-10.12V218.19774h26.84045a24.25664,24.25664,0,0,1,17.38054,6.82039,22.75761,22.75761,0,0,1,0,33.32974,24.22463,24.22463,0,0,1-17.38054,6.71037Zm0-37.18055v27.50059h16.94045a13.378,13.378,0,0,0,10.01054-4.07033,13.80577,13.80577,0,0,0-10.01054-23.43026Z"/><path class="cls-2" d="M507.31645,296.95821h-10.12V243.05777h9.68v8.80029h.44009a14.60805,14.60805,0,0,1,6.32451-7.31523,17.56035,17.56035,0,0,1,9.40516-3.02486,18.97706,18.97706,0,0,1,7.48054,1.31976l-3.08065,9.7905a16.79182,16.79182,0,0,0-5.94021-.77017A13.09674,13.09674,0,0,0,511.551,256.478a15.45278,15.45278,0,0,0-4.23459,10.78019Z"/><path class="cls-2" d="M530.74567,270.00825q0-12.42951,7.81009-20.57018a26.6222,26.6222,0,0,1,19.91055-8.14015q11.98785,0,19.8,8.14015,7.92011,8.14172,7.91959,20.57018,0,12.53952-7.91959,20.57017-7.81164,8.1417-19.8,8.13964a26.616,26.616,0,0,1-19.91055-8.13964Q530.74412,282.439,530.74567,270.00825Zm10.12,0q0,8.691,5.06,14.07984a17.28222,17.28222,0,0,0,25.08008,0q5.05952-5.388,5.06-14.07984,0-8.58025-5.06-13.97034a17.04544,17.04544,0,0,0-25.08008,0Q540.86469,261.429,540.86572,270.00825Z"/><path class="cls-2" d="M619.95626,269.56816l19.25041,27.39005H627.32625l-13.3102-19.91-13.09016,19.91H589.04651l19.03036-27.39005L589.4866,243.05777h11.43929l13.31021,19.03037,12.65006-19.03037h11.88042Z"/><path class="cls-2" d="M694.4248,243.05777l-33.77035,77.66076H650.20484L662.74437,293.548l-22.21949-50.49024h11.00024l16.06026,38.72036h.219l15.62017-38.72036Z"/><path class="cls-3" d="M211.931,392.63536c-101.38027,0-183.85932-82.47852-183.85932-183.8588S110.55071,24.91776,211.931,24.91776,395.7903,107.39629,395.7903,208.77656,313.31125,392.63536,211.931,392.63536Zm0-354.70389c-94.2045,0-170.84457,76.64111-170.84457,170.84509S117.72648,379.62165,211.931,379.62165s170.84457-76.6411,170.84457-170.84509S306.13548,37.93147,211.931,37.93147Z"/><polygon class="cls-4" points="244.602 112.007 239.295 131.843 281.959 166.856 322.055 161.912 244.602 112.007"/><polygon class="cls-3" points="348.449 195.562 348.449 158.734 290.209 109.179 244.602 112.007 300.209 156.67 76.642 156.67 76.642 198.05 348.449 195.562"/><polygon class="cls-5" points="180.489 297.175 185.796 277.34 141.87 240.558 103.037 247.271 180.489 297.175"/><polygon class="cls-6" points="76.642 213.62 76.642 250.448 134.882 300.004 180.489 297.175 124.882 252.512 348.449 252.512 348.449 211.132 76.642 213.62"/></svg>
\ No newline at end of file
diff --git a/docs/logos/OAuth2_Proxy_icon.png b/docs/logos/OAuth2_Proxy_icon.png
new file mode 100644
index 00000000..720f4ce3
Binary files /dev/null and b/docs/logos/OAuth2_Proxy_icon.png differ
diff --git a/docs/logos/OAuth2_Proxy_icon.svg b/docs/logos/OAuth2_Proxy_icon.svg
new file mode 100644
index 00000000..5b0837f9
--- /dev/null
+++ b/docs/logos/OAuth2_Proxy_icon.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 360 360"><defs><style>.cls-1{fill:#06ed94;}.cls-2{fill:#059b61;}.cls-3{fill:#1957ba;}.cls-4{fill:#6ca8ff;}</style></defs><title>OAuth2_Proxy_logo_v3</title><path class="cls-1" d="M179.00205,349.728c-93.69483,0-169.921-76.22687-169.921-169.9217S85.30722,9.88462,179.00205,9.88462c93.69408,0,169.92021,76.22687,169.92021,169.9217S272.69613,349.728,179.00205,349.728Zm0-327.81581c-87.06238,0-157.89338,70.831-157.89338,157.89411s70.831,157.89411,157.89338,157.89411,157.89411-70.831,157.89411-157.89411S266.06442,21.91221,179.00205,21.91221Z"/><polygon class="cls-2" points="208.628 90.373 203.724 108.705 243.153 141.064 280.21 136.494 208.628 90.373"/><polygon class="cls-1" points="304.604 167.593 304.604 133.558 250.778 87.759 208.628 90.373 260.02 131.65 53.401 131.65 53.401 169.893 304.604 167.593"/><polygon class="cls-3" points="149.376 261.504 154.28 243.172 113.684 209.179 77.795 215.382 149.376 261.504"/><polygon class="cls-4" points="53.401 184.283 53.401 218.319 107.226 264.118 149.376 261.504 97.984 220.226 304.604 220.226 304.604 181.984 53.401 184.283"/></svg>
\ No newline at end of file
diff --git a/docs/logos/OAuth2_Proxy_vertical.png b/docs/logos/OAuth2_Proxy_vertical.png
new file mode 100644
index 00000000..994cd0b7
Binary files /dev/null and b/docs/logos/OAuth2_Proxy_vertical.png differ
diff --git a/docs/logos/OAuth2_Proxy_vertical.svg b/docs/logos/OAuth2_Proxy_vertical.svg
new file mode 100644
index 00000000..bf48ab0f
--- /dev/null
+++ b/docs/logos/OAuth2_Proxy_vertical.svg
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 271.25527 412.45904"><defs><style>.cls-1{fill:#06ed94;}.cls-2{fill:#333;}.cls-3{fill:#7c7c82;}.cls-4{fill:#059b61;}.cls-5{fill:#1957ba;}.cls-6{fill:#6ca8ff;}</style></defs><title>OAuth2_Proxy_logo_v3</title><path class="cls-1" d="M135.48689,257.62084A124.15145,124.15145,0,1,1,259.6386,133.46912,124.29216,124.29216,0,0,1,135.48689,257.62084Zm0-239.515a115.36361,115.36361,0,1,0,115.365,115.36333A115.4943,115.4943,0,0,0,135.48689,18.10579Z"/><path class="cls-2" d="M43.349,326.11062a25.03594,25.03594,0,0,1-9.86153-1.9257,24.03513,24.03513,0,0,1-13.08258-13.18176,25.95077,25.95077,0,0,1,0-19.45748,24.03513,24.03513,0,0,1,13.08258-13.18176,25.03611,25.03611,0,0,1,9.86153-1.92569,25.04373,25.04373,0,0,1,9.86152,1.92569,24.03191,24.03191,0,0,1,13.082,13.18176,25.95077,25.95077,0,0,1,0,19.45748,24.03191,24.03191,0,0,1-13.082,13.18176A25.04355,25.04355,0,0,1,43.349,326.11062Zm0-8.5a16.08167,16.08167,0,0,0,6.20905-1.19509,15.64,15.64,0,0,0,5.047-3.32023,15.1262,15.1262,0,0,0,3.3869-5.14675,18.7484,18.7484,0,0,0,0-13.34816,15.13964,15.13964,0,0,0-3.3869-5.1462,15.65025,15.65025,0,0,0-5.047-3.32078,16.727,16.727,0,0,0-12.4181,0,15.62678,15.62678,0,0,0-5.047,3.32078,15.1001,15.1001,0,0,0-3.3869,5.1462,18.74056,18.74056,0,0,0,0,13.34816,15.08674,15.08674,0,0,0,3.3869,5.14675,15.61654,15.61654,0,0,0,5.047,3.32023A16.07574,16.07574,0,0,0,43.349,317.61057Z"/><path class="cls-2" d="M87.97487,277.50053H98.20116l17.864,47.54779h-9.89513l-3.91805-11.3558H83.92349L80.006,325.04832H70.11085Zm11.35526,27.95752-4.24976-11.887L93.35359,287.794h-.53115l-1.72678,5.77708-4.24975,11.887Z"/><path class="cls-2" d="M141.432,320.798h-.53115a11.02494,11.02494,0,0,1-4.117,3.885,12.04189,12.04189,0,0,1-5.91041,1.42761q-6.17625,0-9.19759-3.78527-3.02268-3.78444-3.0216-10.0935v-19.723h8.6995V311.169q0,3.521,1.56039,5.21287a5.88,5.88,0,0,0,4.54893,1.69372,6.335,6.335,0,0,0,3.15439-.76366,7.36817,7.36817,0,0,0,2.3246-2.05849,9.31986,9.31986,0,0,0,1.46067-3.0552,13.70705,13.70705,0,0,0,.49809-3.75166V292.5088h8.6995v32.53952H141.432Z"/><path class="cls-2" d="M160.95505,299.94654h-5.711V292.5088h5.711v-9.96125h8.6995v9.96125h7.96889v7.43774h-7.96889v13.00237a9.40943,9.40943,0,0,0,.232,2.156,3.50429,3.50429,0,0,0,.89645,1.67692,3.29006,3.29006,0,0,0,2.6563,1.09428,4.8322,4.8322,0,0,0,3.0552-.86339l2.45685,7.63719a14.4013,14.4013,0,0,1-3.28718,1.09591,19.24352,19.24352,0,0,1-3.885.36476,11.87693,11.87693,0,0,1-4.41614-.77884,9.38856,9.38856,0,0,1-3.28718-2.13545q-3.12186-3.05113-3.12078-8.67673Z"/><path class="cls-2" d="M184.32841,277.50053h8.6995v13.34815l-.53115,5.90987h.53115a10.7816,10.7816,0,0,1,4.01778-3.81832,11.65893,11.65893,0,0,1,5.87681-1.49427q6.30877,0,9.33037,3.71914,3.02106,3.71941,3.0216,10.16016v19.72306H206.575V306.38757a7.42672,7.42672,0,0,0-1.59345-5.14621,5.69992,5.69992,0,0,0-4.44975-1.75984,6.53689,6.53689,0,0,0-3.18745.76366,7.09646,7.09646,0,0,0-2.35711,2.09154A9.73186,9.73186,0,0,0,193.526,305.425a13.71381,13.71381,0,0,0-.49809,3.7522v15.87113h-8.6995Z"/><path class="cls-2" d="M221.78162,325.04832v-7.90223q3.91778-3.85111,7.23829-7.17217l2.85575-2.85575q1.46012-1.45931,2.72242-2.72242,1.26094-1.26095,2.25793-2.291.99672-1.02924,1.52733-1.627,1.06176-1.26095,1.89264-2.25794a10.94254,10.94254,0,0,0,1.32842-1.9593,9.958,9.958,0,0,0,.76366-1.92569,7.87231,7.87231,0,0,0,.26558-2.09154,5.08948,5.08948,0,0,0-1.72679-3.81887,6.60122,6.60122,0,0,0-4.71478-1.62652,6.212,6.212,0,0,0-4.64865,1.69318,8.82073,8.82073,0,0,0-2.25794,3.81833l-7.90223-3.25412A14.83518,14.83518,0,0,1,223.11,285.3697a13.75313,13.75313,0,0,1,3.05466-3.38636,15.96788,15.96788,0,0,1,4.41614-2.45739,16.21169,16.21169,0,0,1,5.744-.96258,17.927,17.927,0,0,1,6.24211,1.02924,13.884,13.884,0,0,1,4.71532,2.82215,12.6457,12.6457,0,0,1,2.98854,4.21669,12.85272,12.85272,0,0,1,1.0623,5.21341,15.09115,15.09115,0,0,1-2.09208,7.80251,34.27852,34.27852,0,0,1-5.08008,6.60741l-5.711,5.7115q-2.25848,2.25766-5.11369,5.04648l.26612.3989h18.39517v7.63666Z"/><path class="cls-3" d="M66.12613,369.53928v19.258H60.01681V341.24951H76.22017A14.64408,14.64408,0,0,1,86.71258,345.367a13.739,13.739,0,0,1,0,20.12141,14.62588,14.62588,0,0,1-10.49241,4.05085Zm0-22.446v16.60227H76.353a8.07584,8.07584,0,0,0,6.0432-2.45739,8.33447,8.33447,0,0,0-6.0432-14.14488Z"/><path class="cls-3" d="M102.51758,388.7973H96.40771V356.25779H102.252v5.31259h.26558a8.81855,8.81855,0,0,1,3.81832-4.41614,10.59845,10.59845,0,0,1,5.6779-1.82651,11.44924,11.44924,0,0,1,4.51533.79727l-1.859,5.90987a10.15183,10.15183,0,0,0-3.58636-.46449,7.90481,7.90481,0,0,0-6.00959,2.78909,9.32607,9.32607,0,0,0-2.55657,6.50768Z"/><path class="cls-3" d="M116.66137,372.52727a17.213,17.213,0,0,1,4.71478-12.4181,16.07132,16.07132,0,0,1,12.01974-4.91423,15.85788,15.85788,0,0,1,11.95307,4.91423,18.51723,18.51723,0,0,1,0,24.83674,15.85544,15.85544,0,0,1-11.95307,4.91369,16.06883,16.06883,0,0,1-12.01974-4.91369A17.2098,17.2098,0,0,1,116.66137,372.52727Zm6.10933,0a11.91437,11.91437,0,0,0,3.05466,8.50059,10.43448,10.43448,0,0,0,15.14106,0,13.26169,13.26169,0,0,0,0-16.934,10.28983,10.28983,0,0,0-15.14106,0A11.823,11.823,0,0,0,122.7707,372.52727Z"/><path class="cls-3" d="M170.51794,372.2617l11.62137,16.5356h-7.17217l-8.03556-12.01973-7.90223,12.01973h-7.17216l11.48858-16.5356-11.223-16.00391h6.90659l8.035,11.48858,7.6372-11.48858h7.17162Z"/><path class="cls-3" d="M215.47447,356.25779l-20.387,46.8833H188.7787l7.57053-16.40227-13.41428-30.481h6.641l9.69513,23.37553h.13279l9.4301-23.37553Z"/><polygon class="cls-4" points="157.133 68.125 153.55 81.519 182.358 105.162 209.433 101.824 157.133 68.125"/><polygon class="cls-1" points="227.257 124.546 227.257 99.678 187.929 66.216 157.133 68.125 194.682 98.284 43.718 98.284 43.718 126.226 227.257 124.546"/><polygon class="cls-5" points="113.841 193.161 117.424 179.767 87.763 154.93 61.541 159.463 113.841 193.161"/><polygon class="cls-6" points="43.718 136.74 43.718 161.608 83.045 195.071 113.841 193.161 76.292 163.002 227.257 163.002 227.257 135.06 43.718 136.74"/></svg>
\ No newline at end of file
diff --git a/http.go b/http.go
index 2cee227b..88280c44 100644
--- a/http.go
+++ b/http.go
@@ -152,3 +152,14 @@ func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
 	tc.SetKeepAlivePeriod(3 * time.Minute)
 	return tc, nil
 }
+
+func redirectToHTTPS(opts *Options, h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		proto := r.Header.Get("X-Forwarded-Proto")
+		if opts.ForceHTTPS && (r.TLS == nil || (proto != "" && strings.ToLower(proto) != "https")) {
+			http.Redirect(w, r, opts.HTTPSAddress, http.StatusPermanentRedirect)
+		}
+
+		h.ServeHTTP(w, r)
+	})
+}
diff --git a/http_test.go b/http_test.go
index f5ee1421..400213a0 100644
--- a/http_test.go
+++ b/http_test.go
@@ -106,3 +106,53 @@ func TestGCPHealthcheckNotIngressPut(t *testing.T) {
 
 	assert.Equal(t, "test", rw.Body.String())
 }
+
+func TestRedirectToHTTPSTrue(t *testing.T) {
+	opts := NewOptions()
+	opts.ForceHTTPS = true
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := redirectToHTTPS(opts, http.HandlerFunc(handler))
+	rw := httptest.NewRecorder()
+	r, _ := http.NewRequest("GET", "/", nil)
+	h.ServeHTTP(rw, r)
+
+	assert.Equal(t, http.StatusPermanentRedirect, rw.Code, "status code should be %d, got: %d", http.StatusPermanentRedirect, rw.Code)
+}
+
+func TestRedirectToHTTPSFalse(t *testing.T) {
+	opts := NewOptions()
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := redirectToHTTPS(opts, http.HandlerFunc(handler))
+	rw := httptest.NewRecorder()
+	r, _ := http.NewRequest("GET", "/", nil)
+	h.ServeHTTP(rw, r)
+
+	assert.Equal(t, http.StatusOK, rw.Code, "status code should be %d, got: %d", http.StatusOK, rw.Code)
+}
+
+func TestRedirectNotWhenHTTPS(t *testing.T) {
+	opts := NewOptions()
+	opts.ForceHTTPS = true
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := redirectToHTTPS(opts, http.HandlerFunc(handler))
+	s := httptest.NewTLSServer(h)
+	defer s.Close()
+
+	opts.HTTPSAddress = s.URL
+	client := s.Client()
+	res, err := client.Get(s.URL)
+	if err != nil {
+		t.Fatalf("request to test server failed with error: %v", err)
+	}
+
+	assert.Equal(t, http.StatusOK, res.StatusCode, "status code should be %d, got: %d", http.StatusOK, res.StatusCode)
+}
diff --git a/main.go b/main.go
index d30d6bda..b0e327bd 100644
--- a/main.go
+++ b/main.go
@@ -32,6 +32,7 @@ func main() {
 
 	flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
 	flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
+	flagSet.Bool("force-https", false, "force HTTPS redirect for HTTP requests")
 	flagSet.String("tls-cert-file", "", "path to certificate file")
 	flagSet.String("tls-key-file", "", "path to private key file")
 	flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
@@ -185,9 +186,9 @@ func main() {
 
 	var handler http.Handler
 	if opts.GCPHealthChecks {
-		handler = gcpHealthcheck(LoggingHandler(oauthproxy))
+		handler = redirectToHTTPS(opts, gcpHealthcheck(LoggingHandler(oauthproxy)))
 	} else {
-		handler = LoggingHandler(oauthproxy)
+		handler = redirectToHTTPS(opts, LoggingHandler(oauthproxy))
 	}
 	s := &Server{
 		Handler: handler,
diff --git a/options.go b/options.go
index 37bbb0b9..ddc10cfd 100644
--- a/options.go
+++ b/options.go
@@ -34,6 +34,7 @@ type Options struct {
 	ProxyWebSockets bool   `flag:"proxy-websockets" cfg:"proxy_websockets" env:"OAUTH2_PROXY_PROXY_WEBSOCKETS"`
 	HTTPAddress     string `flag:"http-address" cfg:"http_address" env:"OAUTH2_PROXY_HTTP_ADDRESS"`
 	HTTPSAddress    string `flag:"https-address" cfg:"https_address" env:"OAUTH2_PROXY_HTTPS_ADDRESS"`
+	ForceHTTPS      bool   `flag:"force-https" cfg:"force_https" env:"OAUTH2_PROXY_FORCE_HTTPS"`
 	RedirectURL     string `flag:"redirect-url" cfg:"redirect_url" env:"OAUTH2_PROXY_REDIRECT_URL"`
 	ClientID        string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"`
 	ClientSecret    string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
@@ -145,6 +146,7 @@ func NewOptions() *Options {
 		ProxyWebSockets:     true,
 		HTTPAddress:         "127.0.0.1:4180",
 		HTTPSAddress:        ":443",
+		ForceHTTPS:          false,
 		DisplayHtpasswdForm: true,
 		CookieOptions: options.CookieOptions{
 			CookieName:     "_oauth2_proxy",
diff --git a/pkg/requests/requests.go b/pkg/requests/requests.go
index 82d1176a..9083b2d4 100644
--- a/pkg/requests/requests.go
+++ b/pkg/requests/requests.go
@@ -18,17 +18,23 @@ func Request(req *http.Request) (*simplejson.Json, error) {
 		return nil, err
 	}
 	body, err := ioutil.ReadAll(resp.Body)
-	resp.Body.Close()
-	logger.Printf("%d %s %s %s", resp.StatusCode, req.Method, req.URL, body)
-	if err != nil {
-		return nil, err
+	if body != nil {
+		defer resp.Body.Close()
 	}
+
+	logger.Printf("%d %s %s %s", resp.StatusCode, req.Method, req.URL, body)
+
+	if err != nil {
+		return nil, fmt.Errorf("problem reading http request body: %w", err)
+	}
+
 	if resp.StatusCode != 200 {
 		return nil, fmt.Errorf("got %d %s", resp.StatusCode, body)
 	}
+
 	data, err := simplejson.NewJson(body)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error unmarshalling json: %w", err)
 	}
 	return data, nil
 }
@@ -41,10 +47,13 @@ func RequestJSON(req *http.Request, v interface{}) error {
 		return err
 	}
 	body, err := ioutil.ReadAll(resp.Body)
-	resp.Body.Close()
+	if body != nil {
+		defer resp.Body.Close()
+	}
+
 	logger.Printf("%d %s %s %s", resp.StatusCode, req.Method, req.URL, body)
 	if err != nil {
-		return err
+		return fmt.Errorf("error reading body from http response: %w", err)
 	}
 	if resp.StatusCode != 200 {
 		return fmt.Errorf("got %d %s", resp.StatusCode, body)
@@ -56,7 +65,7 @@ func RequestJSON(req *http.Request, v interface{}) error {
 func RequestUnparsedResponse(url string, header http.Header) (resp *http.Response, err error) {
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error performing get request: %w", err)
 	}
 	req.Header = header
 
diff --git a/pkg/requests/requests_test.go b/pkg/requests/requests_test.go
index 99a4c3b6..c9ec4e88 100644
--- a/pkg/requests/requests_test.go
+++ b/pkg/requests/requests_test.go
@@ -8,20 +8,21 @@ import (
 	"testing"
 
 	"github.com/bitly/go-simplejson"
-
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
-func testBackend(responseCode int, payload string) *httptest.Server {
+func testBackend(t *testing.T, responseCode int, payload string) *httptest.Server {
 	return httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(responseCode)
-			w.Write([]byte(payload))
+			_, err := w.Write([]byte(payload))
+			require.NoError(t, err)
 		}))
 }
 
 func TestRequest(t *testing.T) {
-	backend := testBackend(200, "{\"foo\": \"bar\"}")
+	backend := testBackend(t, 200, "{\"foo\": \"bar\"}")
 	defer backend.Close()
 
 	req, _ := http.NewRequest("GET", backend.URL, nil)
@@ -35,7 +36,7 @@ func TestRequest(t *testing.T) {
 func TestRequestFailure(t *testing.T) {
 	// Create a backend to generate a test URL, then close it to cause a
 	// connection error.
-	backend := testBackend(200, "{\"foo\": \"bar\"}")
+	backend := testBackend(t, 200, "{\"foo\": \"bar\"}")
 	backend.Close()
 
 	req, err := http.NewRequest("GET", backend.URL, nil)
@@ -49,7 +50,7 @@ func TestRequestFailure(t *testing.T) {
 }
 
 func TestHttpErrorCode(t *testing.T) {
-	backend := testBackend(404, "{\"foo\": \"bar\"}")
+	backend := testBackend(t, 404, "{\"foo\": \"bar\"}")
 	defer backend.Close()
 
 	req, err := http.NewRequest("GET", backend.URL, nil)
@@ -60,7 +61,7 @@ func TestHttpErrorCode(t *testing.T) {
 }
 
 func TestJsonParsingError(t *testing.T) {
-	backend := testBackend(200, "not well-formed JSON")
+	backend := testBackend(t, 200, "not well-formed JSON")
 	defer backend.Close()
 
 	req, err := http.NewRequest("GET", backend.URL, nil)
@@ -77,7 +78,8 @@ func TestRequestUnparsedResponseUsingAccessTokenParameter(t *testing.T) {
 			token := r.FormValue("access_token")
 			if r.URL.Path == "/" && token == "my_token" {
 				w.WriteHeader(200)
-				w.Write([]byte("some payload"))
+				_, err := w.Write([]byte("some payload"))
+				require.NoError(t, err)
 			} else {
 				w.WriteHeader(403)
 			}
@@ -86,16 +88,17 @@ func TestRequestUnparsedResponseUsingAccessTokenParameter(t *testing.T) {
 
 	response, err := RequestUnparsedResponse(
 		backend.URL+"?access_token=my_token", nil)
+	defer response.Body.Close()
+
 	assert.Equal(t, nil, err)
 	assert.Equal(t, 200, response.StatusCode)
 	body, err := ioutil.ReadAll(response.Body)
 	assert.Equal(t, nil, err)
-	response.Body.Close()
 	assert.Equal(t, "some payload", string(body))
 }
 
 func TestRequestUnparsedResponseUsingAccessTokenParameterFailedResponse(t *testing.T) {
-	backend := testBackend(200, "some payload")
+	backend := testBackend(t, 200, "some payload")
 	// Close the backend now to force a request failure.
 	backend.Close()
 
@@ -110,7 +113,8 @@ func TestRequestUnparsedResponseUsingHeaders(t *testing.T) {
 		func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/" && r.Header["Auth"][0] == "my_token" {
 				w.WriteHeader(200)
-				w.Write([]byte("some payload"))
+				_, err := w.Write([]byte("some payload"))
+				require.NoError(t, err)
 			} else {
 				w.WriteHeader(403)
 			}
@@ -120,10 +124,12 @@ func TestRequestUnparsedResponseUsingHeaders(t *testing.T) {
 	headers := make(http.Header)
 	headers.Set("Auth", "my_token")
 	response, err := RequestUnparsedResponse(backend.URL, headers)
+	defer response.Body.Close()
+
 	assert.Equal(t, nil, err)
 	assert.Equal(t, 200, response.StatusCode)
 	body, err := ioutil.ReadAll(response.Body)
 	assert.Equal(t, nil, err)
-	response.Body.Close()
+
 	assert.Equal(t, "some payload", string(body))
 }
diff --git a/providers/azure.go b/providers/azure.go
index 653090b0..48cea846 100644
--- a/providers/azure.go
+++ b/providers/azure.go
@@ -1,10 +1,14 @@
 package providers
 
 import (
+	"bytes"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"net/url"
+	"time"
 
 	"github.com/bitly/go-simplejson"
 	"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
@@ -65,6 +69,67 @@ func (p *AzureProvider) Configure(tenant string) {
 	}
 }
 
+func (p *AzureProvider) Redeem(redirectURL, code string) (s *sessions.SessionState, err error) {
+	if code == "" {
+		err = errors.New("missing code")
+		return
+	}
+
+	params := url.Values{}
+	params.Add("redirect_uri", redirectURL)
+	params.Add("client_id", p.ClientID)
+	params.Add("client_secret", p.ClientSecret)
+	params.Add("code", code)
+	params.Add("grant_type", "authorization_code")
+	if p.ProtectedResource != nil && p.ProtectedResource.String() != "" {
+		params.Add("resource", p.ProtectedResource.String())
+	}
+
+	var req *http.Request
+	req, err = http.NewRequest("POST", p.RedeemURL.String(), bytes.NewBufferString(params.Encode()))
+	if err != nil {
+		return
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	var resp *http.Response
+	resp, err = http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	var body []byte
+	body, err = ioutil.ReadAll(resp.Body)
+	resp.Body.Close()
+	if err != nil {
+		return
+	}
+
+	if resp.StatusCode != 200 {
+		err = fmt.Errorf("got %d from %q %s", resp.StatusCode, p.RedeemURL.String(), body)
+		return
+	}
+
+	var jsonResponse struct {
+		AccessToken  string `json:"access_token"`
+		RefreshToken string `json:"refresh_token"`
+		ExpiresOn    int64  `json:"expires_on,string"`
+		IDToken      string `json:"id_token"`
+	}
+	err = json.Unmarshal(body, &jsonResponse)
+	if err != nil {
+		return
+	}
+
+	s = &sessions.SessionState{
+		AccessToken:  jsonResponse.AccessToken,
+		IDToken:      jsonResponse.IDToken,
+		CreatedAt:    time.Now(),
+		ExpiresOn:    time.Unix(jsonResponse.ExpiresOn, 0),
+		RefreshToken: jsonResponse.RefreshToken,
+	}
+	return
+}
+
 func getAzureHeader(accessToken string) http.Header {
 	header := make(http.Header)
 	header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
diff --git a/providers/azure_test.go b/providers/azure_test.go
index 8d34bdc8..24745f3a 100644
--- a/providers/azure_test.go
+++ b/providers/azure_test.go
@@ -5,6 +5,7 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"testing"
+	"time"
 
 	"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
 	"github.com/stretchr/testify/assert"
@@ -20,6 +21,7 @@ func testAzureProvider(hostname string) *AzureProvider {
 			ValidateURL:       &url.URL{},
 			ProtectedResource: &url.URL{},
 			Scope:             ""})
+
 	if hostname != "" {
 		updateURL(p.Data().LoginURL, hostname)
 		updateURL(p.Data().RedeemURL, hostname)
@@ -111,8 +113,11 @@ func testAzureBackend(payload string) *httptest.Server {
 
 	return httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
-			if r.URL.Path != path || r.URL.RawQuery != query {
+			if (r.URL.Path != path || r.URL.RawQuery != query) && r.Method != "POST" {
 				w.WriteHeader(404)
+			} else if r.Method == "POST" && r.Body != nil {
+				w.WriteHeader(200)
+				w.Write([]byte(payload))
 			} else if r.Header.Get("Authorization") != "Bearer imaginary_access_token" {
 				w.WriteHeader(403)
 			} else {
@@ -199,3 +204,19 @@ func TestAzureProviderGetEmailAddressIncorrectOtherMails(t *testing.T) {
 	assert.Equal(t, "type assertion to string failed", err.Error())
 	assert.Equal(t, "", email)
 }
+
+func TestAzureProviderRedeemReturnsIdToken(t *testing.T) {
+	b := testAzureBackend(`{ "id_token": "testtoken1234", "expires_on": "1136239445", "refresh_token": "refresh1234" }`)
+	defer b.Close()
+	timestamp, err := time.Parse(time.RFC3339, "2006-01-02T22:04:05Z")
+	assert.Equal(t, nil, err)
+
+	bURL, _ := url.Parse(b.URL)
+	p := testAzureProvider(bURL.Host)
+	p.Data().RedeemURL.Path = "/common/oauth2/token"
+	s, err := p.Redeem("https://localhost", "1234")
+	assert.Equal(t, nil, err)
+	assert.Equal(t, "testtoken1234", s.IDToken)
+	assert.Equal(t, timestamp, s.ExpiresOn.UTC())
+	assert.Equal(t, "refresh1234", s.RefreshToken)
+}
diff --git a/validator_test.go b/validator_test.go
index 6e72cdbe..58253e8e 100644
--- a/validator_test.go
+++ b/validator_test.go
@@ -8,30 +8,34 @@ import (
 )
 
 type ValidatorTest struct {
-	authEmailFile *os.File
-	done          chan bool
-	updateSeen    bool
+	authEmailFileName string
+	done              chan bool
+	updateSeen        bool
 }
 
 func NewValidatorTest(t *testing.T) *ValidatorTest {
 	vt := &ValidatorTest{}
 	var err error
-	vt.authEmailFile, err = ioutil.TempFile("", "test_auth_emails_")
+	f, err := ioutil.TempFile("", "test_auth_emails_")
 	if err != nil {
-		t.Fatal("failed to create temp file: " + err.Error())
+		t.Fatalf("failed to create temp file: %v", err)
 	}
+	if err := f.Close(); err != nil {
+		t.Fatalf("failed to close temp file: %v", err)
+	}
+	vt.authEmailFileName = f.Name()
 	vt.done = make(chan bool, 1)
 	return vt
 }
 
 func (vt *ValidatorTest) TearDown() {
 	vt.done <- true
-	os.Remove(vt.authEmailFile.Name())
+	os.Remove(vt.authEmailFileName)
 }
 
 func (vt *ValidatorTest) NewValidator(domains []string,
 	updated chan<- bool) func(string) bool {
-	return newValidatorImpl(domains, vt.authEmailFile.Name(),
+	return newValidatorImpl(domains, vt.authEmailFileName,
 		vt.done, func() {
 			if vt.updateSeen == false {
 				updated <- true
@@ -40,13 +44,18 @@ func (vt *ValidatorTest) NewValidator(domains []string,
 		})
 }
 
-// This will close vt.authEmailFile.
 func (vt *ValidatorTest) WriteEmails(t *testing.T, emails []string) {
-	defer vt.authEmailFile.Close()
-	vt.authEmailFile.WriteString(strings.Join(emails, "\n"))
-	if err := vt.authEmailFile.Close(); err != nil {
-		t.Fatal("failed to close temp file " +
-			vt.authEmailFile.Name() + ": " + err.Error())
+	f, err := os.OpenFile(vt.authEmailFileName, os.O_WRONLY, 0600)
+	if err != nil {
+		t.Fatalf("failed to open auth email file: %v", err)
+	}
+
+	if _, err := f.WriteString(strings.Join(emails, "\n")); err != nil {
+		t.Fatalf("failed to write emails to auth email file: %v", err)
+	}
+
+	if err := f.Close(); err != nil {
+		t.Fatalf("failed to close auth email file: %v", err)
 	}
 }
 
@@ -160,3 +169,43 @@ func TestValidatorIgnoreSpacesInAuthEmails(t *testing.T) {
 		t.Error("email should validate")
 	}
 }
+
+func TestValidatorOverwriteEmailListDirectly(t *testing.T) {
+	vt := NewValidatorTest(t)
+	defer vt.TearDown()
+
+	vt.WriteEmails(t, []string{
+		"xyzzy@example.com",
+		"plugh@example.com",
+	})
+	domains := []string(nil)
+	updated := make(chan bool)
+	validator := vt.NewValidator(domains, updated)
+
+	if !validator("xyzzy@example.com") {
+		t.Error("first email in list should validate")
+	}
+	if !validator("plugh@example.com") {
+		t.Error("second email in list should validate")
+	}
+	if validator("xyzzy.plugh@example.com") {
+		t.Error("email not in list that matches no domains " +
+			"should not validate")
+	}
+
+	vt.WriteEmails(t, []string{
+		"xyzzy.plugh@example.com",
+		"plugh@example.com",
+	})
+	<-updated
+
+	if validator("xyzzy@example.com") {
+		t.Error("email removed from list should not validate")
+	}
+	if !validator("plugh@example.com") {
+		t.Error("email retained in list should validate")
+	}
+	if !validator("xyzzy.plugh@example.com") {
+		t.Error("email added to list should validate")
+	}
+}
diff --git a/validator_watcher_copy_test.go b/validator_watcher_copy_test.go
deleted file mode 100644
index 15ed6faf..00000000
--- a/validator_watcher_copy_test.go
+++ /dev/null
@@ -1,48 +0,0 @@
-// +build go1.3,!plan9,!solaris,!windows
-
-// Turns out you can't copy over an existing file on Windows.
-
-package main
-
-import (
-	"io/ioutil"
-	"os"
-	"testing"
-)
-
-func (vt *ValidatorTest) UpdateEmailFileViaCopyingOver(
-	t *testing.T, emails []string) {
-	origFile := vt.authEmailFile
-	var err error
-	vt.authEmailFile, err = ioutil.TempFile("", "test_auth_emails_")
-	if err != nil {
-		t.Fatal("failed to create temp file for copy: " + err.Error())
-	}
-	vt.WriteEmails(t, emails)
-	err = os.Rename(vt.authEmailFile.Name(), origFile.Name())
-	if err != nil {
-		t.Fatal("failed to copy over temp file: " + err.Error())
-	}
-	vt.authEmailFile = origFile
-}
-
-func TestValidatorOverwriteEmailListViaCopyingOver(t *testing.T) {
-	vt := NewValidatorTest(t)
-	defer vt.TearDown()
-
-	vt.WriteEmails(t, []string{"xyzzy@example.com"})
-	domains := []string(nil)
-	updated := make(chan bool)
-	validator := vt.NewValidator(domains, updated)
-
-	if !validator("xyzzy@example.com") {
-		t.Error("email in list should validate")
-	}
-
-	vt.UpdateEmailFileViaCopyingOver(t, []string{"plugh@example.com"})
-	<-updated
-
-	if validator("xyzzy@example.com") {
-		t.Error("email removed from list should not validate")
-	}
-}
diff --git a/validator_watcher_test.go b/validator_watcher_test.go
deleted file mode 100644
index b022d68f..00000000
--- a/validator_watcher_test.go
+++ /dev/null
@@ -1,102 +0,0 @@
-// +build go1.3,!plan9,!solaris
-
-package main
-
-import (
-	"io/ioutil"
-	"os"
-	"testing"
-)
-
-func (vt *ValidatorTest) UpdateEmailFile(t *testing.T, emails []string) {
-	var err error
-	vt.authEmailFile, err = os.OpenFile(
-		vt.authEmailFile.Name(), os.O_WRONLY|os.O_CREATE, 0600)
-	if err != nil {
-		t.Fatal("failed to re-open temp file for updates")
-	}
-	vt.WriteEmails(t, emails)
-}
-
-func (vt *ValidatorTest) UpdateEmailFileViaRenameAndReplace(
-	t *testing.T, emails []string) {
-	origFile := vt.authEmailFile
-	var err error
-	vt.authEmailFile, err = ioutil.TempFile("", "test_auth_emails_")
-	if err != nil {
-		t.Fatal("failed to create temp file for rename and replace: " +
-			err.Error())
-	}
-	vt.WriteEmails(t, emails)
-
-	movedName := origFile.Name() + "-moved"
-	err = os.Rename(origFile.Name(), movedName)
-	err = os.Rename(vt.authEmailFile.Name(), origFile.Name())
-	if err != nil {
-		t.Fatal("failed to rename and replace temp file: " +
-			err.Error())
-	}
-	vt.authEmailFile = origFile
-	os.Remove(movedName)
-}
-
-func TestValidatorOverwriteEmailListDirectly(t *testing.T) {
-	vt := NewValidatorTest(t)
-	defer vt.TearDown()
-
-	vt.WriteEmails(t, []string{
-		"xyzzy@example.com",
-		"plugh@example.com",
-	})
-	domains := []string(nil)
-	updated := make(chan bool)
-	validator := vt.NewValidator(domains, updated)
-
-	if !validator("xyzzy@example.com") {
-		t.Error("first email in list should validate")
-	}
-	if !validator("plugh@example.com") {
-		t.Error("second email in list should validate")
-	}
-	if validator("xyzzy.plugh@example.com") {
-		t.Error("email not in list that matches no domains " +
-			"should not validate")
-	}
-
-	vt.UpdateEmailFile(t, []string{
-		"xyzzy.plugh@example.com",
-		"plugh@example.com",
-	})
-	<-updated
-
-	if validator("xyzzy@example.com") {
-		t.Error("email removed from list should not validate")
-	}
-	if !validator("plugh@example.com") {
-		t.Error("email retained in list should validate")
-	}
-	if !validator("xyzzy.plugh@example.com") {
-		t.Error("email added to list should validate")
-	}
-}
-
-func TestValidatorOverwriteEmailListViaRenameAndReplace(t *testing.T) {
-	vt := NewValidatorTest(t)
-	defer vt.TearDown()
-
-	vt.WriteEmails(t, []string{"xyzzy@example.com"})
-	domains := []string(nil)
-	updated := make(chan bool, 1)
-	validator := vt.NewValidator(domains, updated)
-
-	if !validator("xyzzy@example.com") {
-		t.Error("email in list should validate")
-	}
-
-	vt.UpdateEmailFileViaRenameAndReplace(t, []string{"plugh@example.com"})
-	<-updated
-
-	if validator("xyzzy@example.com") {
-		t.Error("email removed from list should not validate")
-	}
-}