diff --git a/frontend.py b/frontend.py
index f8eabe9..ec170ea 100644
--- a/frontend.py
+++ b/frontend.py
@@ -231,13 +231,17 @@ def oauth2_callback(provider):
         "grant_type": "authorization_code",
         "redirect_uri": url_for("oauth2_callback", provider=provider, _external=True),
     }
+    headers = {
+        "Accept": "application/json",
+    }
     if SSO_CONFIG[provider]["challenge_instead_of_state"]:
         params["code_verifier"] = session["oauth2_state"]
+        headers["Content-Type"] = "application/x-www-form-urlencoded"
 
     r = requests.post(
         SSO_CONFIG[provider]["token_url"],
         data=params,
-        headers={"Accept": "application/json"},
+        headers=headers,
     )
     if r.status_code != 200:
         abort(400)
diff --git a/util/sso/__init__.py b/util/sso/__init__.py
index 3eb749d..296dd57 100644
--- a/util/sso/__init__.py
+++ b/util/sso/__init__.py
@@ -18,8 +18,8 @@
 SSO_CONFIG = {
     "c3hub": {
         "display_name": "38C3 Hub",
-        "authorize_url": "https://events.ccc.de/congress/2024/hub/sso/authorize",
-        "token_url": "https://events.ccc.de/congress/2024/hub/sso/token",
+        "authorize_url": "https://events.ccc.de/congress/2024/hub/sso/authorize/",
+        "token_url": "https://events.ccc.de/congress/2024/hub/sso/token/",
         "scopes": ["38c3_attendee"],
         "userinfo_url": "https://api.events.ccc.de/congress/2024/me",
         "challenge_instead_of_state": True,