diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 6bcd47d9b..c4cde27bb 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -1,9 +1,14 @@
 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  skip_before_action :verify_authenticity_token, only: :openid_connect
+
   def openid_connect
     @user = Person.from_omniauth(request.env['omniauth.auth'])
-    @user.save
-    sign_in_and_redirect @user, event: :authentication # this will throw if @user is not activated
-    set_flash_message(:notice, :success, kind: 'Keycloak') if is_navigational_format?
+    if @user.persisted?
+      sign_in_and_redirect @user, event: :authentication # this will throw if @user is not activated
+      set_flash_message(:notice, :success, kind: 'Keycloak') if is_navigational_format?
+    else
+      failure
+    end
   end
 
   def failure