diff --git a/ChangeLog b/ChangeLog
index aaf87ab5..08b94254 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+09/14/2023
+- fix `OIDCRefreshAccessTokenBeforeExpiry` when using `logout_on_error`; see #1111; thanks @brandonk10
+- bump to 2.4.14.4rc0
+
 09/05/2023
 - release 2.4.14.3
 
diff --git a/configure.ac b/configure.ac
index fc4d68b2..bfb871df 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.14.3],[hans.zandbelt@openidc.com])
+AC_INIT([mod_auth_openidc],[2.4.14.4rc0],[hans.zandbelt@openidc.com])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 139341c7..5a710c78 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -1361,7 +1361,8 @@ static apr_byte_t oidc_session_pass_tokens(request_rec *r, oidc_cfg *cfg,
 }
 
 static apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r,
-		oidc_cfg *cfg, oidc_session_t *session, int ttl_minimum) {
+		oidc_cfg *cfg, oidc_session_t *session, int ttl_minimum,
+		apr_byte_t *needs_save) {
 
 	const char *s_access_token_expires = NULL;
 	apr_time_t t_expires = -1;
@@ -1370,7 +1371,7 @@ static apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r,
 	oidc_debug(r, "ttl_minimum=%d", ttl_minimum);
 
 	if (ttl_minimum < 0)
-		return FALSE;
+		return TRUE;
 
 	s_access_token_expires = oidc_session_get_access_token_expires(r, session);
 	if (s_access_token_expires == NULL) {
@@ -1397,7 +1398,7 @@ static apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r,
 			apr_time_sec(t_expires - apr_time_now()));
 
 	if (t_expires > apr_time_now())
-		return FALSE;
+		return TRUE;
 
 	if (oidc_get_provider_from_session(r, cfg, session, &provider) == FALSE)
 		return FALSE;
@@ -1408,6 +1409,8 @@ static apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r,
 		return FALSE;
 	}
 
+	*needs_save = TRUE;
+
 	return TRUE;
 }
 
@@ -1679,7 +1682,7 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
 
 	/* if needed, refresh the access token */
 	rv = oidc_refresh_access_token_before_expiry(r, cfg, session,
-			oidc_cfg_dir_refresh_access_token_before_expiry(r));
+			oidc_cfg_dir_refresh_access_token_before_expiry(r), needs_save);
 	if (rv == FALSE) {
 		if (oidc_cfg_dir_action_on_error_refresh(r) == OIDC_ON_ERROR_LOGOUT) {
 			*needs_save = FALSE;
@@ -1694,8 +1697,6 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
 		}
 	}
 
-	*needs_save |= rv;
-
 	/* if needed, refresh claims from the user info endpoint */
 	rv = oidc_refresh_claims_from_userinfo_endpoint(r, cfg, session, needs_save);
 	if (rv == FALSE) {