diff --git a/CHANGELOG.md b/CHANGELOG.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
-## [*Unreleased*](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.1.1...master)
+## [*Unreleased*](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.1.2...master)
 
 None
+
+## [v0.6.1.2](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.1.1...v0.6.1.2)
+
+- Don't report our own errors like OAuth2 ErrorResponses
 
 ## [v0.6.1.1](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.1.0...v0.6.1.1)
 
diff --git a/src/Yesod/Auth/OAuth2/Dispatch.hs b/src/Yesod/Auth/OAuth2/Dispatch.hs
--- a/src/Yesod/Auth/OAuth2/Dispatch.hs
+++ b/src/Yesod/Auth/OAuth2/Dispatch.hs
@@ -9,7 +9,8 @@
 module Yesod.Auth.OAuth2.Dispatch
     ( FetchCreds
     , dispatchAuthRequest
-    ) where
+    )
+where
 
 import Control.Exception.Safe
 import Control.Monad (unless, (<=<))
@@ -63,7 +64,7 @@
 dispatchCallback :: Text -> OAuth2 -> FetchCreds m -> AuthHandler m TypedContent
 dispatchCallback name oauth2 getCreds = do
     csrf <- verifySessionCSRF $ tokenSessionKey name
-    onErrorResponse errInvalidOAuth
+    onErrorResponse $ oauth2HandshakeError name
     code <- requireGetParam "code"
     manager <- authHttpManager
     oauth2' <- withCallbackAndState name oauth2 csrf
@@ -72,12 +73,30 @@
     setCredsRedirect creds
   where
     errLeft :: Show e => IO (Either e a) -> AuthHandler m a
-    errLeft = either (errInvalidOAuth . unknownError . tshow) pure <=< liftIO
+    errLeft = either (unexpectedError name) pure <=< liftIO
 
-    errInvalidOAuth :: ErrorResponse -> AuthHandler m a
-    errInvalidOAuth err = do
-        $(logError) $ "OAuth2 error (" <> name <> "): " <> tshow err
-        redirectMessage $ "Unable to log in with OAuth2: " <> erUserMessage err
+-- | Handle an OAuth2 @'ErrorResponse'@
+--
+-- These are things coming from the OAuth2 provider such an Invalid Grant or
+-- Invalid Scope and /may/ be user-actionable. We've coded them to have an
+-- @'erUserMessage'@ that we are comfortable displaying to the user as part of
+-- the redirect, just in case.
+--
+oauth2HandshakeError :: Text -> ErrorResponse -> AuthHandler m a
+oauth2HandshakeError name err = do
+    $(logError) $ "Handshake failure in " <> name <> " plugin: " <> tshow err
+    redirectMessage $ "OAuth2 handshake failure: " <> erUserMessage err
+
+-- | Handle an unexpected error
+--
+-- This would be some unexpected exception while processing the callback.
+-- Therefore, the user should see an opaque message and the details go only to
+-- the server logs.
+--
+unexpectedError :: Show e => Text -> e -> AuthHandler m a
+unexpectedError name err = do
+    $(logError) $ "Error in " <> name <> " OAuth2 plugin: " <> tshow err
+    redirectMessage "Unexpected error logging in with OAuth2"
 
 redirectMessage :: Text -> AuthHandler m a
 redirectMessage msg = do
diff --git a/yesod-auth-oauth2.cabal b/yesod-auth-oauth2.cabal
--- a/yesod-auth-oauth2.cabal
+++ b/yesod-auth-oauth2.cabal
@@ -1,13 +1,13 @@
 cabal-version: 1.12
 
--- This file has been generated from package.yaml by hpack version 0.31.1.
+-- This file has been generated from package.yaml by hpack version 0.31.2.
 --
 -- see: https://github.com/sol/hpack
 --
--- hash: c1c011a70a950aa06a81581631093cff63155d27dfd919ee890ec488597e5bd0
+-- hash: e04edfe71067040f559a7ef9bdb8aef187060f21ee13314bbaaec9612a9c5c8d
 
 name:           yesod-auth-oauth2
-version:        0.6.1.1
+version:        0.6.1.2
 synopsis:       OAuth 2.0 authentication plugins
 description:    Library to authenticate with OAuth 2.0 for Yesod web applications.
 category:       Web
@@ -32,25 +32,6 @@
   default: False
 
 library
-  hs-source-dirs:
-      src
-  ghc-options: -Wall
-  build-depends:
-      aeson >=0.6 && <1.5
-    , base >=4.9.0.0 && <5
-    , bytestring >=0.9.1.4
-    , errors
-    , hoauth2 >=1.3.0 && <1.9
-    , http-client >=0.4.0 && <0.7
-    , http-conduit >=2.0 && <3.0
-    , http-types >=0.8 && <0.13
-    , microlens
-    , random
-    , safe-exceptions
-    , text >=0.7 && <2.0
-    , uri-bytestring
-    , yesod-auth >=1.6.0 && <1.7
-    , yesod-core >=1.6.0 && <1.7
   exposed-modules:
       URI.ByteString.Extension
       Yesod.Auth.OAuth2
@@ -72,10 +53,31 @@
       Yesod.Auth.OAuth2.Upcase
   other-modules:
       Paths_yesod_auth_oauth2
+  hs-source-dirs:
+      src
+  ghc-options: -Wall
+  build-depends:
+      aeson >=0.6 && <1.5
+    , base >=4.9.0.0 && <5
+    , bytestring >=0.9.1.4
+    , errors
+    , hoauth2 >=1.3.0 && <1.9
+    , http-client >=0.4.0 && <0.7
+    , http-conduit >=2.0 && <3.0
+    , http-types >=0.8 && <0.13
+    , microlens
+    , random
+    , safe-exceptions
+    , text >=0.7 && <2.0
+    , uri-bytestring
+    , yesod-auth >=1.6.0 && <1.7
+    , yesod-core >=1.6.0 && <1.7
   default-language: Haskell2010
 
 executable yesod-auth-oauth2-example
   main-is: Main.hs
+  other-modules:
+      Paths_yesod_auth_oauth2
   hs-source-dirs:
       example
   ghc-options: -Wall -threaded -rtsopts -with-rtsopts=-N
@@ -94,13 +96,14 @@
     , yesod-auth-oauth2
   if !(flag(example))
     buildable: False
-  other-modules:
-      Paths_yesod_auth_oauth2
   default-language: Haskell2010
 
 test-suite test
   type: exitcode-stdio-1.0
   main-is: Spec.hs
+  other-modules:
+      URI.ByteString.ExtensionSpec
+      Paths_yesod_auth_oauth2
   hs-source-dirs:
       test
   ghc-options: -Wall
@@ -109,7 +112,4 @@
     , hspec
     , uri-bytestring
     , yesod-auth-oauth2
-  other-modules:
-      URI.ByteString.ExtensionSpec
-      Paths_yesod_auth_oauth2
   default-language: Haskell2010
