diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index d7097eb434c..8809e94d4c0 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -31,6 +31,8 @@ class Users::OmniauthCallbacksController < ApplicationController
 
   def complete
     auth = request.env["omniauth.auth"]
+    raise Discourse::NotFound unless request.env["omniauth.auth"]
+
     auth[:session] = session
 
     authenticator = self.class.find_authenticator(params[:provider])
diff --git a/spec/integration/omniauth_callbacks_spec.rb b/spec/integration/omniauth_callbacks_spec.rb
index 7549e90f776..b57d4eda2cc 100644
--- a/spec/integration/omniauth_callbacks_spec.rb
+++ b/spec/integration/omniauth_callbacks_spec.rb
@@ -16,6 +16,13 @@ RSpec.describe "OmniAuth Callbacks" do
       SiteSetting.enable_google_oauth2_logins = true
     end
 
+    context "without an `omniauth.auth` env" do
+      it "should return a 404" do
+        get "/auth/eviltrout/callback"
+        expect(response).not_to be_success
+      end
+    end
+
     describe 'when user has been verified' do
       before do
         OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(