diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index bb33159a4..b61ff3678 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -34,14 +34,18 @@ class Users::OmniauthCallbacksController < ApplicationController
 
     authenticator = self.class.find_authenticator(params[:provider])
 
-    @data = authenticator.after_authenticate(auth)
-    @data.authenticator_name = authenticator.name
+    @auth_result = authenticator.after_authenticate(auth)
 
-    complete_response_data
-
-    respond_to do |format|
-      format.html
-      format.json { render json: @data.to_client_hash }
+    if @auth_result.failed?
+      flash[:error] = @auth_result.failed_reason.html_safe
+      return render('failure')
+    else
+      @auth_result.authenticator_name = authenticator.name
+      complete_response_data
+      respond_to do |format|
+        format.html
+        format.json { render json: @auth_result.to_client_hash }
+      end
     end
   end
 
@@ -69,35 +73,35 @@ class Users::OmniauthCallbacksController < ApplicationController
   protected
 
   def complete_response_data
-    if @data.user
-      user_found(@data.user)
+    if @auth_result.user
+      user_found(@auth_result.user)
     elsif SiteSetting.invite_only?
-      @data.requires_invite = true
+      @auth_result.requires_invite = true
     else
-      session[:authentication] = @data.session_data
+      session[:authentication] = @auth_result.session_data
     end
   end
 
   def user_found(user)
     # automatically activate any account if a provider marked the email valid
-    if !user.active && @data.email_valid
+    if !user.active && @auth_result.email_valid
       user.toggle(:active).save
     end
 
     if ScreenedIpAddress.should_block?(request.remote_ip)
-      @data.not_allowed_from_ip_address = true
+      @auth_result.not_allowed_from_ip_address = true
     elsif ScreenedIpAddress.block_admin_login?(user, request.remote_ip)
-      @data.admin_not_allowed_from_ip_address = true
+      @auth_result.admin_not_allowed_from_ip_address = true
     elsif Guardian.new(user).can_access_forum? && user.active # log on any account that is active with forum access
       log_on_user(user)
       Invite.invalidate_for_email(user.email) # invite link can't be used to log in anymore
       session[:authentication] = nil # don't carry around old auth info, perhaps move elsewhere
-      @data.authenticated = true
+      @auth_result.authenticated = true
     else
       if SiteSetting.must_approve_users? && !user.approved?
-        @data.awaiting_approval = true
+        @auth_result.awaiting_approval = true
       else
-        @data.awaiting_activation = true
+        @auth_result.awaiting_activation = true
       end
     end
   end
diff --git a/app/views/users/omniauth_callbacks/complete.html.erb b/app/views/users/omniauth_callbacks/complete.html.erb
index d2198018a..310726853 100644
--- a/app/views/users/omniauth_callbacks/complete.html.erb
+++ b/app/views/users/omniauth_callbacks/complete.html.erb
@@ -22,7 +22,7 @@
     <p><%=t "login.close_window" %></p>
 
     <script type="text/javascript">
-      window.opener.Discourse.authenticationComplete(<%=@data.to_client_hash.to_json.html_safe%>);
+      window.opener.Discourse.authenticationComplete(<%=@auth_result.to_client_hash.to_json.html_safe%>);
       window.close();
     </script>
   </div>
diff --git a/app/views/users/omniauth_callbacks/failure.html.erb b/app/views/users/omniauth_callbacks/failure.html.erb
index 697043807..c83169acb 100644
--- a/app/views/users/omniauth_callbacks/failure.html.erb
+++ b/app/views/users/omniauth_callbacks/failure.html.erb
@@ -1,11 +1,20 @@
-<div id="simple-container">
-  <%if flash[:error]%>
-    <div class='alert alert-error'>
-      <%=flash[:error]%>
+<html>
+  <head>
+    <%= render partial: "layouts/head" %>
+    <%= render partial: "common/special_font_face" %>
+    <%= render partial: "common/discourse_stylesheet" %>
+  </head>
+  <body>
+    <div id="simple-container">
+      <%if flash[:error].present? %>
+        <div class='alert alert-error'>
+          <%=flash[:error]%>
+        </div>
+      <%else%>
+        <div class='alert alert-error'>
+          <%= t 'login.omniauth_error_unknown' %>
+        </div>
+      <%end%>
     </div>
-  <%else%>
-    <div class='alert alert-error'>
-      <% t 'login.omniauth_error_unknown' %>
-    </div>
-  <%end%>
-</div>
\ No newline at end of file
+  </body>
+</html>
diff --git a/lib/auth/result.rb b/lib/auth/result.rb
index 6bb016c00..e1f93d86b 100644
--- a/lib/auth/result.rb
+++ b/lib/auth/result.rb
@@ -5,15 +5,24 @@ class Auth::Result
                 :requires_invite, :not_allowed_from_ip_address,
                 :admin_not_allowed_from_ip_address
 
+  attr_accessor :failed,
+                :failed_reason
+
+  def initialize
+    @failed = false
+  end
+
+  def failed?
+    !!@failed
+  end
+
   def session_data
-    {
-      email: email,
+    { email: email,
       username: username,
       email_valid: email_valid,
       name: name,
       authenticator_name: authenticator_name,
-      extra_data: extra_data
-    }
+      extra_data: extra_data }
   end
 
   def to_client_hash
diff --git a/spec/views/omniauth_callbacks/complete.html.erb_spec.rb b/spec/views/omniauth_callbacks/complete.html.erb_spec.rb
index c9bd3d52e..0211cda3d 100644
--- a/spec/views/omniauth_callbacks/complete.html.erb_spec.rb
+++ b/spec/views/omniauth_callbacks/complete.html.erb_spec.rb
@@ -13,7 +13,7 @@ describe "users/omniauth_callbacks/complete.html.erb" do
     result = Auth::Result.new
     result.user = User.new
 
-    assign(:data, result)
+    assign(:auth_result, result)
 
     render
 
@@ -28,7 +28,7 @@ describe "users/omniauth_callbacks/complete.html.erb" do
     result.email = "xxx@xxx.com"
     result.authenticator_name = "CAS"
 
-    assign(:data, result)
+    assign(:auth_result, result)
 
     render