diff --git a/oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/endpoint/CallbackOIDCEndpoint.java b/oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/endpoint/CallbackOIDCEndpoint.java
index b787bff..7a6713c 100644
--- a/oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/endpoint/CallbackOIDCEndpoint.java
+++ b/oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/endpoint/CallbackOIDCEndpoint.java
@@ -142,16 +142,16 @@ public class CallbackOIDCEndpoint implements OIDCEndpoint
         }
 
         // Validate state
-        String sessionState = this.configuration.removeSessionState();
-        if (sessionState == null) {
+        State providerState = authorizationResponse.getState();
+        if (providerState == null) {
             return new ErrorResponse(HTTPResponse.SC_BAD_REQUEST,
-                "No state could be found in the current OpenID Connection session"
-                    + " which suggest it was lost or that this callback endpoint was called directly");
+                    "Invalid state: got nothing");
         } else {
-            State providerState = authorizationResponse.getState();
-            if (providerState == null) {
+            String sessionState = this.configuration.removeSessionState(providerState.getValue());
+            if (sessionState == null) {
                 return new ErrorResponse(HTTPResponse.SC_BAD_REQUEST,
-                    "Invalid state: was expecting [" + sessionState + "] and got nothing");
+                        "No state could be found in the current OpenID Connection session"
+                        + " which suggest it was lost or that this callback endpoint was called directly");
             } else if (!Objects.equals(providerState.getValue(), sessionState)) {
                 this.logger.debug("OIDC callback: Invalid state (was expecting [{}] and got [{}])", sessionState,
                     providerState);