diff --git a/pkg/oidcclient/login.go b/pkg/oidcclient/login.go
index fad28e10..b01e5238 100644
--- a/pkg/oidcclient/login.go
+++ b/pkg/oidcclient/login.go
@@ -813,7 +813,7 @@ func (h *handlerState) handleRefresh(ctx context.Context, refreshToken *oidctype
 	refreshed, err := upstreamOIDCIdentityProvider.PerformRefresh(ctx, refreshToken.Token)
 	if err != nil {
 		// Ignore errors during refresh, but return nil which will trigger the full login flow.
-		h.logger.V(debugLogLevel).Info("Pinniped: Refresh failed.", "err", err)
+		h.logger.V(debugLogLevel).Info("Pinniped: Refresh failed.", "error", err.Error())
 		return nil, nil
 	}
 
diff --git a/pkg/oidcclient/login_test.go b/pkg/oidcclient/login_test.go
index e2548ebd..cdb497e6 100644
--- a/pkg/oidcclient/login_test.go
+++ b/pkg/oidcclient/login_test.go
@@ -513,7 +513,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
 			wantLogs: []string{
 				`"level"=4 "msg"="Pinniped: Performing OIDC discovery"  "issuer"="` + successServer.URL + `"`,
 				`"level"=4 "msg"="Pinniped: Refreshing cached token."`,
-				`"level"=4 "msg"="Pinniped: Refresh failed."`,
+				`"level"=4 "msg"="Pinniped: Refresh failed."  "error"="oauth2: cannot fetch token: 400 Bad Request\nResponse: expected client_id 'test-client-id'\n"`,
 				`"msg"="could not open callback listener" "error"="some listen error"`,
 			},
 			// Expect this to fall through to the authorization code flow, so it fails here.