diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
index 6a93226f9baa..2572c856ca95 100644
--- a/apisix/plugins/openid-connect.lua
+++ b/apisix/plugins/openid-connect.lua
@@ -116,11 +116,12 @@ local function introspect(ctx, conf)
             end
         else
             res, err = openidc.introspect(conf)
-            if res then
+            if err then
+                return ngx.HTTP_UNAUTHORIZED, err
+            else
                 return res
             end
         end
-
         if conf.bearer_only then
             ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. conf.realm
                                              .. '",error="' .. err .. '"'