diff --git a/main.go b/main.go
index de39983..f8a2963 100644
--- a/main.go
+++ b/main.go
@@ -303,6 +303,12 @@ func NewWithContext(ctx context.Context, config *Config, next http.Handler, name
 
 	logger.Debugf("TraefikOidc.New: Final t.scopes initialized to: %v", t.scopes)
 
+	// Log callback URL configuration to help diagnose redirect loop issues.
+	// If callbackURL is a full URL instead of a path, the callback matching
+	// in ServeHTTP will silently fail because req.URL.Path is compared directly.
+	logger.Debugf("TraefikOidc.New: callbackURL (redirURLPath) configured as: %q", t.redirURLPath)
+	logger.Debugf("TraefikOidc.New: logoutURLPath configured as: %q", t.logoutURLPath)
+
 	t.providerURL = config.ProviderURL
 
 	// Use singleton resource manager for metadata initialization
diff --git a/middleware.go b/middleware.go
index 5b7f742..4bbf4af 100644
--- a/middleware.go
+++ b/middleware.go
@@ -173,10 +173,14 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	host := utils.DetermineHost(req)
 	redirectURL := buildFullURL(scheme, host, t.redirURLPath)
 
+	// Check if the current request is the OIDC callback
+	t.logger.Debugf("Checking callback URL match: request_path=%q, configured_callback=%q", req.URL.Path, t.redirURLPath)
 	if req.URL.Path == t.redirURLPath {
+		t.logger.Debugf("Callback URL matched, processing OIDC callback (redirect_url=%s)", redirectURL)
 		t.handleCallback(rw, req, redirectURL)
 		return
 	}
+	t.logger.Debugf("Callback URL did not match (request_path=%q != configured=%q), continuing auth flow", req.URL.Path, t.redirURLPath)
 
 	authenticated, needsRefresh, expired := t.isUserAuthenticated(session)