diff --git a/src/Form/SalesforceAuthForm.php b/src/Form/SalesforceAuthForm.php
index 0a1834acb1d5c3271853ac17c5ca0448e03fd885..4521163ef266e4e05350898fa9a42ab737c67ffc 100644
--- a/src/Form/SalesforceAuthForm.php
+++ b/src/Form/SalesforceAuthForm.php
@@ -141,7 +141,7 @@ class SalesforceAuthForm extends EntityForm {
     $this->entity->getPlugin()->submitConfigurationform($form, $form_state);
     // If redirect is not already set, and we have no errors, send user back to
     // the AuthConfig listing page.
-    if (!$form_state->getErrors() && !$form_state->getRedirect()) {
+    if (!$form_state->getErrors() && !$form_state->getResponse() && !$form_state->getRedirect()) {
       $form_state->setRedirectUrl($this->entity->toUrl('collection'));
     }
   }
diff --git a/src/SalesforceAuthProviderPluginBase.php b/src/SalesforceAuthProviderPluginBase.php
index c24119dbb34c4cca0e6ecc900ae3eac6bac596d8..be042046d39f7cf45e8ec39d9123768893dcdd97 100644
--- a/src/SalesforceAuthProviderPluginBase.php
+++ b/src/SalesforceAuthProviderPluginBase.php
@@ -5,6 +5,7 @@ namespace Drupal\salesforce;
 use Drupal\Core\DependencyInjection\DependencySerializationTrait;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Messenger\MessengerTrait;
+use Drupal\Core\Routing\TrustedRedirectResponse;
 use Drupal\Core\StringTranslation\StringTranslationTrait;
 use Drupal\salesforce\Storage\SalesforceAuthTokenStorageInterface;
 use OAuth\Common\Http\Client\ClientInterface;
@@ -171,6 +172,13 @@ abstract class SalesforceAuthProviderPluginBase extends Salesforce implements Sa
    * {@inheritdoc}
    */
   public function save(array $form, FormStateInterface $form_state) {
+    if ($form_state->getResponse() instanceof TrustedRedirectResponse) {
+      // If we're redirecting off-site, do not proceed with save operation.
+      // We'll finish saving form input when we complete the OAuth handshake
+      // from Salesforce.
+      return FALSE;
+    }
+
     // Initialize identity if token is available.
     if (!$this->hasAccessToken()) {
       return TRUE;
@@ -181,7 +189,14 @@ abstract class SalesforceAuthProviderPluginBase extends Salesforce implements Sa
       'Content-type' => 'application/json',
     ];
     $data = $token->getExtraParams();
-    $response = $this->httpClient->retrieveResponse(new Uri($data['id']), [], $headers);
+    try {
+      $response = $this->httpClient->retrieveResponse(new Uri($data['id']), [], $headers);
+    }
+    catch (\Exception $e) {
+      $this->messenger()->addError($e->getMessage());
+      $form_state->disableRedirect();
+      return FALSE;
+    }
     $identity = $this->parseIdentityResponse($response);
     $this->storage->storeIdentity($this->service(), $identity);
     return TRUE;