diff --git a/go.sum b/go.sum
index 5b6d4f47f..b9bb569c7 100644
--- a/go.sum
+++ b/go.sum
@@ -870,8 +870,6 @@ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEY
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
 google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200808173500-a06252235341 h1:Kceb+1TNS2X7Cj/A+IUTljNerF/4wOFjlFJ0RGHYKKE=
-google.golang.org/genproto v0.0.0-20200808173500-a06252235341/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200815001618-f69a88009b70 h1:wboULUXGF3c5qdUnKp+6gLAccE6PRpa/czkYvQ4UXv8=
 google.golang.org/genproto v0.0.0-20200815001618-f69a88009b70/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
diff --git a/internal/directory/okta/okta.go b/internal/directory/okta/okta.go
index 89bedd4c4..8f73a7f50 100644
--- a/internal/directory/okta/okta.go
+++ b/internal/directory/okta/okta.go
@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"sort"
@@ -158,7 +159,7 @@ func (p *Provider) getGroups(ctx context.Context) ([]*directory.Group, error) {
 	q := u.Query()
 	q.Set("limit", strconv.Itoa(p.cfg.batchSize))
 	if p.lastUpdated != nil {
-		q.Set("filter", fmt.Sprintf(`lastUpdated+gt+"%[1]s"+or+lastMembershipUpdated+gt+"%[1]s"`, p.lastUpdated.UTC().Format(filterDateFormat)))
+		q.Set("filter", fmt.Sprintf(`lastUpdated gt "%[1]s" or lastMembershipUpdated gt "%[1]s"`, p.lastUpdated.UTC().Format(filterDateFormat)))
 	} else {
 		now := time.Now()
 		p.lastUpdated = &now
@@ -258,7 +259,8 @@ func (p *Provider) apiGet(ctx context.Context, uri string, out interface{}) (htt
 			continue
 		}
 		if res.StatusCode/100 != 2 {
-			return nil, fmt.Errorf("okta: error query api status_code=%d: %s", res.StatusCode, res.Status)
+			buf, _ := ioutil.ReadAll(res.Body)
+			return nil, fmt.Errorf("okta: error query api status_code=%d: %s", res.StatusCode, string(buf))
 		}
 		if err := json.NewDecoder(res.Body).Decode(out); err != nil {
 			return nil, err
diff --git a/internal/directory/okta/okta_test.go b/internal/directory/okta/okta_test.go
index 89ba9b3b9..c30e4afc9 100644
--- a/internal/directory/okta/okta_test.go
+++ b/internal/directory/okta/okta_test.go
@@ -40,7 +40,7 @@ func newMockOkta(srv *httptest.Server, userEmailToGroups map[string][]string) ht
 		})
 	})
 	r.Get("/api/v1/groups", func(w http.ResponseWriter, r *http.Request) {
-		lastUpdated := strings.Contains(r.URL.Query().Get("filter"), "lastUpdated")
+		lastUpdated := strings.Contains(r.URL.Query().Get("filter"), "lastUpdated ")
 		var groups []string
 		for group := range allGroups {
 			if lastUpdated && group != "user-updated" {