diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java
index cbfe7e6e676..44b7e846a0a 100644
--- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java
+++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java
@@ -128,17 +128,19 @@ public class OpenIdConfiguration extends ContainerLifeCycle
      * Process the OpenID Connect metadata discovered by {@link #fetchOpenIdConnectMetadata()}.
      * By default, only the {@link #AUTHORIZATION_ENDPOINT} and {@link #TOKEN_ENDPOINT} claims are extracted.
      * @see <a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>
+     * @throws IllegalStateException if a required field is not present in the metadata.
      */
     protected void processMetadata(Map<String, Object> discoveryDocument)
     {
         authEndpoint = (String)discoveryDocument.get(AUTHORIZATION_ENDPOINT);
         if (authEndpoint == null)
-            throw new IllegalArgumentException(AUTHORIZATION_ENDPOINT);
+            throw new IllegalStateException(AUTHORIZATION_ENDPOINT);
 
         tokenEndpoint = (String)discoveryDocument.get(TOKEN_ENDPOINT);
         if (tokenEndpoint == null)
-            throw new IllegalArgumentException(TOKEN_ENDPOINT);
+            throw new IllegalStateException(TOKEN_ENDPOINT);
 
+        // We are lenient and not throw here as some major OIDC providers do not conform to this.
         if (!Objects.equals(discoveryDocument.get(ISSUER), issuer))
             LOG.warn("The issuer in the metadata is not correct.");
     }
@@ -146,6 +148,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle
     /**
      * Obtain the JSON metadata from OpenID Connect Discovery Configuration Endpoint.
      * @return a set of Claims about the OpenID Provider's configuration in JSON format.
+     * @throws IllegalStateException if metadata could not be fetched from the OP.
      */
     protected Map<String, Object> fetchOpenIdConnectMetadata()
     {
@@ -177,7 +180,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle
         }
         catch (Exception e)
         {
-            throw new IllegalArgumentException("invalid identity provider " + provider, e);
+            throw new IllegalStateException("invalid identity provider " + provider, e);
         }
     }