diff --git a/daos/external_auth.go b/daos/external_auth.go
index e43df07f..6d598620 100644
--- a/daos/external_auth.go
+++ b/daos/external_auth.go
@@ -35,6 +35,7 @@ func (dao *Dao) FindExternalAuthByProvider(provider, providerId string) (*models
 	model := &models.ExternalAuth{}
 
 	err := dao.ExternalAuthQuery().
+		AndWhere(dbx.Not(dbx.HashExp{"providerId": ""})). // exclude empty providerIds
 		AndWhere(dbx.HashExp{
 			"provider":   provider,
 			"providerId": providerId,
@@ -71,6 +72,12 @@ func (dao *Dao) FindExternalAuthByUserIdAndProvider(userId, provider string) (*m
 
 // SaveExternalAuth upserts the provided ExternalAuth model.
 func (dao *Dao) SaveExternalAuth(model *models.ExternalAuth) error {
+	// extra check the model data in case the provider's API response
+	// changes and no longer returns the expected fields
+	if model.UserId == "" || model.Provider == "" || model.ProviderId == "" {
+		return errors.New("Missing required ExternalAuth fields.")
+	}
+
 	return dao.Save(model)
 }
 
diff --git a/daos/external_auth_test.go b/daos/external_auth_test.go
index dece07f7..68a58e71 100644
--- a/daos/external_auth_test.go
+++ b/daos/external_auth_test.go
@@ -123,6 +123,12 @@ func TestSaveExternalAuth(t *testing.T) {
 	app, _ := tests.NewTestApp()
 	defer app.Cleanup()
 
+	// save with empty provider data
+	emptyAuth := &models.ExternalAuth{}
+	if err := app.Dao().SaveExternalAuth(emptyAuth); err == nil {
+		t.Fatal("Expected error, got nil")
+	}
+
 	auth := &models.ExternalAuth{
 		UserId:     "97cc3d3d-6ba2-383f-b42a-7bc84d27410c",
 		Provider:   "test",