diff --git a/oauthproxy.go b/oauthproxy.go
index e3a74b1d..dda1b34f 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -987,16 +987,15 @@ func (p *OAuthProxy) enrichSessionState(ctx context.Context, s *sessionsapi.Sess
 // and optional authorization).
 func (p *OAuthProxy) AuthOnly(rw http.ResponseWriter, req *http.Request) {
 	session, err := p.getAuthenticatedSession(rw, req)
-	if err != nil {
-		// If SkipProviderButton is enabled and user needs login, redirect directly
-		// to OAuth provider instead of returning 401. This allows nginx auth_request
-		// to pass through the 302 redirect to the browser, bypassing error_page
-		// handling which can break redirect flows.
-		// See: https://github.com/oauth2-proxy/oauth2-proxy/issues/334
-		if p.SkipProviderButton && err == ErrNeedsLogin {
-			p.doOAuthStart(rw, req, nil)
-			return
-		}
+	// If SkipProviderButton is enabled and user needs login, redirect directly
+	// to OAuth provider instead of returning 401. This allows nginx auth_request
+	// to pass through the 302 redirect to the browser, bypassing error_page
+	// handling which can break redirect flows.
+	// See: https://github.com/oauth2-proxy/oauth2-proxy/issues/334
+	if p.SkipProviderButton && err == ErrNeedsLogin {
+		p.doOAuthStart(rw, req, nil)
+		return
+	} else if err != nil {
 		http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 		return
 	}