diff --git a/src/authentic2_auth_oidc/utils.py b/src/authentic2_auth_oidc/utils.py
index 41ec787f7..ecf797bdd 100644
--- a/src/authentic2_auth_oidc/utils.py
+++ b/src/authentic2_auth_oidc/utils.py
@@ -77,8 +77,9 @@ def parse_id_token(encoded, provider):
     if header['alg'] in ('RS256', 'RS384', 'RS512'):
         key = provider.jwkset.get_key(kid=header.get('kid'))
         if not key:
-            raise JWTMissingKey(_('Unknown RSA key identifier %s for provider %s')
-                    % (header.get('kid'), provider))
+            raise JWTMissingKey(
+                    _('Unknown RSA key identifier %(kid)s for provider %(provider)s') %
+                            {'kid': header.get('kid'), 'provider': provider})
     elif header['alg'] in ('HS256', 'HS384', 'HS512'):
         key = JWK(kty='oct', k=base64url_encode(
                 provider.client_secret.encode('utf-8')))
@@ -147,8 +148,8 @@ class IDToken(object):
                             _('invalid amr value: %s') % decoded['amr'])
             elif key in KEY_TYPES:
                 if not isinstance(decoded[key], KEY_TYPES[key]):
-                    raise IDTokenError(
-                            _('invalid %s value: %s') % (key, decoded[key]))
+                    raise IDTokenError(_('invalid %(key)s value: %(value)s') %
+                            {'key': key, 'value': decoded[key]})
         self.iss = decoded.pop('iss')
         self.sub = decoded.pop('sub')
         self.aud = decoded.pop('aud')