diff --git a/handlers.go b/handlers.go
index d5ba64623..023eb63d0 100644
--- a/handlers.go
+++ b/handlers.go
@@ -315,7 +315,7 @@ func (r *oauthProxy) logoutHandler(cx echo.Context) error {
 	}
 	// step: can either use the id token or the refresh token
 	identityToken := user.token.Encode()
-	if refresh, err := r.retrieveRefreshToken(cx.Request(), user); err == nil {
+	if refresh, _, err := r.retrieveRefreshToken(cx.Request(), user); err == nil {
 		identityToken = refresh
 	}
 	r.clearAllCookies(cx.Request(), cx.Response().Writer)
@@ -465,10 +465,7 @@ func (r *oauthProxy) metricsHandler(cx echo.Context) error {
 }
 
 // retrieveRefreshToken retrieves the refresh token from store or cookie
-func (r *oauthProxy) retrieveRefreshToken(req *http.Request, user *userContext) (string, error) {
-	var token string
-	var err error
-
+func (r *oauthProxy) retrieveRefreshToken(req *http.Request, user *userContext) (token, ecrypted string, err error) {
 	switch r.useStore() {
 	case true:
 		token, err = r.GetRefreshToken(user.token)
@@ -476,8 +473,10 @@ func (r *oauthProxy) retrieveRefreshToken(req *http.Request, user *userContext)
 		token, err = r.getRefreshTokenFromCookie(req)
 	}
 	if err != nil {
-		return "", err
+		return
 	}
 
-	return decodeText(token, r.config.EncryptionKey)
+	ecrypted = token // returns encryped, avoid encoding twice
+	token, err = decodeText(token, r.config.EncryptionKey)
+	return
 }
diff --git a/middleware.go b/middleware.go
index a41bb38ce..470fcb1d2 100644
--- a/middleware.go
+++ b/middleware.go
@@ -165,7 +165,7 @@ func (r *oauthProxy) authenticationMiddleware(resource *Resource) echo.Middlewar
 					}).Infof("accces token for user has expired, attemping to refresh the token")
 
 					// step: check if the user has refresh token
-					refresh, err := r.retrieveRefreshToken(cx.Request(), user)
+					refresh, encrypted, err := r.retrieveRefreshToken(cx.Request(), user)
 					if err != nil {
 						log.WithFields(log.Fields{
 							"client_ip": clientIP,
@@ -212,15 +212,15 @@ func (r *oauthProxy) authenticationMiddleware(resource *Resource) echo.Middlewar
 					r.dropAccessTokenCookie(cx.Request(), cx.Response().Writer, accessToken, expiresIn)
 
 					if r.useStore() {
-						go func(old, new jose.JWT, state string) {
+						go func(old, new jose.JWT, encrypted string) {
 							if err := r.DeleteRefreshToken(old); err != nil {
 								log.WithFields(log.Fields{"error": err.Error()}).Errorf("failed to remove old token")
 							}
-							if err := r.StoreRefreshToken(new, state); err != nil {
+							if err := r.StoreRefreshToken(new, encrypted); err != nil {
 								log.WithFields(log.Fields{"error": err.Error()}).Errorf("failed to store refresh token")
 								return
 							}
-						}(user.token, token, refresh)
+						}(user.token, token, encrypted)
 					}
 					// update the with the new access token and inject into the context
 					user.token = token