diff --git a/src/node/http.ts b/src/node/http.ts
index c616c88377b885755bfb6f896a3ed612528c8738..af81f1876e293d2d5e3a338d92af553d5ab2fc90 100644
--- a/src/node/http.ts
+++ b/src/node/http.ts
@@ -927,7 +927,29 @@ export class HttpServer {
     }
 
     // Must be authenticated to use the proxy.
-    route.provider.ensureAuthenticated(request)
+    if (!route.provider.authenticated(request)) {
+      // Attempt to determine if it's the user browsing the root and if so fall
+      // through to allow the login flow.
+      if (request.headers["content-type"] !== "application/json") {
+        switch (route.providerBase) {
+          case "/":
+          case "/static":
+            if (request.method === "GET") {
+              return undefined
+            }
+            break
+          case "/login":
+            if (request.method === "GET" || request.method === "POST") {
+              return undefined
+            }
+            break
+        }
+      }
+
+      // Assume anything else is some kind of request from the proxied
+      // application and return an unauthorized message.
+      throw new HttpError("Unauthorized", HttpCode.Unauthorized)
+    }
 
     return {
       proxy: {