diff --git a/service/OneService.cpp b/service/OneService.cpp
index d547ca35f..1cf8b5e56 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -1729,9 +1729,24 @@ public:
 					NetworkState& ns = _nets[id];
 					char* code = zeroidc::zeroidc_get_url_param_value("code", path.c_str());
 					char *ret = ns.doTokenExchange(code);
-					scode = 200;
-					sprintf(resBuf, ssoResponseTemplate, "Authentication Successful. You may now access the network.");
-					responseBody = std::string(resBuf);
+					json ssoResult = json::parse(ret);
+					if (ssoResult.is_object()) {
+						if (ssoResult.contains("errorMessage")) {
+							std::string errorMessage = ssoResult["errorMessage"];
+							char errBuff[256] = {0};
+							sprintf(errBuff, "ERROR: %s", errorMessage.c_str());
+							sprintf(resBuf, ssoResponseTemplate, errBuff);
+							scode = 500;
+						} else {
+							scode = 200;
+							sprintf(resBuf, ssoResponseTemplate, "Authentication Successful. You may now access the network.");
+							responseBody = std::string(resBuf);
+						}
+					} else {
+						// not an object? We got a problem
+						sprintf(resBuf, ssoResponseTemplate, "Error: Unknown SSO response.");
+						scode= 500;
+					}
 
 					zeroidc::free_cstr(code);
 					zeroidc::free_cstr(ret);
diff --git a/zeroidc/src/ext.rs b/zeroidc/src/ext.rs
index 92d3552f8..0831cb193 100644
--- a/zeroidc/src/ext.rs
+++ b/zeroidc/src/ext.rs
@@ -275,7 +275,7 @@ pub extern "C" fn zeroidc_token_exchange(idc: *mut ZeroIDC, code: *const c_char
 
         },
         Err(e) => {
-            let errstr = format!("{{\"message\":\"{}\"\"}}", e).to_string();
+            let errstr = format!("{{\"errorMessage\":\"{}\"\"}}", e).to_string();
             let ret = CString::new(errstr).unwrap();
             return ret.into_raw();
         }