diff --git a/tools/auth/base_provider.go b/tools/auth/base_provider.go
index 4bcb681b..a4477da1 100644
--- a/tools/auth/base_provider.go
+++ b/tools/auth/base_provider.go
@@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"io/ioutil"
 	"net/http"
 
@@ -120,6 +121,16 @@ func (p *baseProvider) FetchRawUserData(token *oauth2.Token, result any) error {
 		return err
 	}
 
+	// http.Client.Get doesn't treat non 2xx responses as error
+	if response.StatusCode >= 400 {
+		return fmt.Errorf(
+			"Failed to fetch OAuth2 user profile via %s (%d):\n%s",
+			p.userApiUrl,
+			response.StatusCode,
+			string(content),
+		)
+	}
+
 	return json.Unmarshal(content, &result)
 }