diff --git a/authenticate/handlers.go b/authenticate/handlers.go
index 602357cb9..a370279e4 100644
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@@ -96,11 +96,16 @@ func (a *Authenticate) mountDashboard(r *mux.Router) {
 		AllowedHeaders:   []string{"*"},
 	})
 	sr.Use(c.Handler)
+
+	// routes that don't need a session:
+	sr.Path("/sign_out").Handler(httputil.HandlerFunc(a.SignOut))
+
+	// routes that need a session:
+	sr = sr.NewRoute().Subrouter()
 	sr.Use(a.RetrieveSession)
 	sr.Use(a.VerifySession)
 	sr.Path("/").Handler(a.requireValidSignatureOnRedirect(a.userInfo))
 	sr.Path("/sign_in").Handler(httputil.HandlerFunc(a.SignIn))
-	sr.Path("/sign_out").Handler(httputil.HandlerFunc(a.SignOut))
 	sr.Path("/device-enrolled").Handler(httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
 		userInfoData, err := a.getUserInfoData(r)
 		if err != nil {
diff --git a/config/envoyconfig/routes.go b/config/envoyconfig/routes.go
index b638ca9d2..15d9f7936 100644
--- a/config/envoyconfig/routes.go
+++ b/config/envoyconfig/routes.go
@@ -74,21 +74,38 @@ func (b *Builder) buildPomeriumHTTPRoutes(options *config.Options, host string)
 			routes = append(routes, b.buildControlPlanePathRoute("/robots.txt", false))
 		}
 	}
-	// if we're handling authentication, add the oauth2 callback url
-	// as the callback url is from the IdP, it is expected only on the public authenticate URL endpoint
-	authenticateURL, err := options.GetAuthenticateURL()
+
+	authRoutes, err := b.buildPomeriumAuthenticateHTTPRoutes(options, host)
 	if err != nil {
 		return nil, err
 	}
-	if config.IsAuthenticate(options.Services) && urlMatchesHost(authenticateURL, host) {
-		routes = append(routes,
-			b.buildControlPlanePathRoute(options.AuthenticateCallbackPath, false),
-			b.buildControlPlanePathRoute("/", false),
-		)
-	}
+	routes = append(routes, authRoutes...)
 	return routes, nil
 }
 
+func (b *Builder) buildPomeriumAuthenticateHTTPRoutes(options *config.Options, host string) ([]*envoy_config_route_v3.Route, error) {
+	if !config.IsAuthenticate(options.Services) {
+		return nil, nil
+	}
+
+	for _, fn := range []func() (*url.URL, error){
+		options.GetAuthenticateURL,
+		options.GetInternalAuthenticateURL,
+	} {
+		u, err := fn()
+		if err != nil {
+			return nil, err
+		}
+		if urlMatchesHost(u, host) {
+			return []*envoy_config_route_v3.Route{
+				b.buildControlPlanePathRoute(options.AuthenticateCallbackPath, false),
+				b.buildControlPlanePathRoute("/", false),
+			}, nil
+		}
+	}
+	return nil, nil
+}
+
 func (b *Builder) buildControlPlanePathRoute(path string, protected bool) *envoy_config_route_v3.Route {
 	r := &envoy_config_route_v3.Route{
 		Name: "pomerium-path-" + path,