diff --git a/config/envoyconfig/routes.go b/config/envoyconfig/routes.go
index b638ca9d2..15d9f7936 100644
--- a/config/envoyconfig/routes.go
+++ b/config/envoyconfig/routes.go
@@ -74,21 +74,38 @@ func (b *Builder) buildPomeriumHTTPRoutes(options *config.Options, host string)
 			routes = append(routes, b.buildControlPlanePathRoute("/robots.txt", false))
 		}
 	}
-	// if we're handling authentication, add the oauth2 callback url
-	// as the callback url is from the IdP, it is expected only on the public authenticate URL endpoint
-	authenticateURL, err := options.GetAuthenticateURL()
+
+	authRoutes, err := b.buildPomeriumAuthenticateHTTPRoutes(options, host)
 	if err != nil {
 		return nil, err
 	}
-	if config.IsAuthenticate(options.Services) && urlMatchesHost(authenticateURL, host) {
-		routes = append(routes,
-			b.buildControlPlanePathRoute(options.AuthenticateCallbackPath, false),
-			b.buildControlPlanePathRoute("/", false),
-		)
-	}
+	routes = append(routes, authRoutes...)
 	return routes, nil
 }
 
+func (b *Builder) buildPomeriumAuthenticateHTTPRoutes(options *config.Options, host string) ([]*envoy_config_route_v3.Route, error) {
+	if !config.IsAuthenticate(options.Services) {
+		return nil, nil
+	}
+
+	for _, fn := range []func() (*url.URL, error){
+		options.GetAuthenticateURL,
+		options.GetInternalAuthenticateURL,
+	} {
+		u, err := fn()
+		if err != nil {
+			return nil, err
+		}
+		if urlMatchesHost(u, host) {
+			return []*envoy_config_route_v3.Route{
+				b.buildControlPlanePathRoute(options.AuthenticateCallbackPath, false),
+				b.buildControlPlanePathRoute("/", false),
+			}, nil
+		}
+	}
+	return nil, nil
+}
+
 func (b *Builder) buildControlPlanePathRoute(path string, protected bool) *envoy_config_route_v3.Route {
 	r := &envoy_config_route_v3.Route{
 		Name: "pomerium-path-" + path,