diff --git a/pkg/services/authn/authnimpl/sync/oauth_token_sync.go b/pkg/services/authn/authnimpl/sync/oauth_token_sync.go
index 5cffdeea056..22bbe03ee40 100644
--- a/pkg/services/authn/authnimpl/sync/oauth_token_sync.go
+++ b/pkg/services/authn/authnimpl/sync/oauth_token_sync.go
@@ -53,12 +53,16 @@ func (s *OAuthTokenSync) SyncOauthTokenHook(ctx context.Context, identity *authn
 
 	// if we recently have performed this it would be cached, so we can skip the hook
 	if _, ok := s.cache.Get(identity.ID); ok {
+		s.log.FromContext(ctx).Debug("OAuth token check is cached", "id", identity.ID)
 		return nil
 	}
 
-	token, exists, _ := s.service.HasOAuthEntry(ctx, identity)
+	token, exists, err := s.service.HasOAuthEntry(ctx, identity)
 	// user is not authenticated through oauth so skip further checks
 	if !exists {
+		if err != nil {
+			s.log.FromContext(ctx).Error("Failed to fetch oauth entry", "id", identity.ID, "error", err)
+		}
 		return nil
 	}
 
@@ -69,6 +73,7 @@ func (s *OAuthTokenSync) SyncOauthTokenHook(ctx context.Context, identity *authn
 
 	// token has no expire time configured, so we don't have to refresh it
 	if token.OAuthExpiry.IsZero() {
+		s.log.FromContext(ctx).Debug("Access token without expiry", "id", identity.ID)
 		// cache the token check, so we don't perform it on every request
 		s.cache.Set(identity.ID, struct{}{}, getOAuthTokenCacheTTL(token.OAuthExpiry, idTokenExpiry))
 		return nil
@@ -97,6 +102,7 @@ func (s *OAuthTokenSync) SyncOauthTokenHook(ctx context.Context, identity *authn
 	}
 	// token has not expired, so we don't have to refresh it
 	if !hasAccessTokenExpired && !hasIdTokenExpired {
+		s.log.FromContext(ctx).Debug("Access and id token has not expired yet", "id", identity.ID)
 		// cache the token check, so we don't perform it on every request
 		s.cache.Set(identity.ID, struct{}{}, getOAuthTokenCacheTTL(accessTokenExpires, idTokenExpires))
 		return nil