diff --git a/db/client.go b/db/client.go
index 62187034..a0f54846 100644
--- a/db/client.go
+++ b/db/client.go
@@ -100,9 +100,13 @@ func NewClientIdentityRepoFromClients(dbm *gorp.DbMap, clients []oidc.ClientIden
 	defer tx.Rollback()
 	exec := repo.executor(tx)
 	for _, c := range clients {
+		if c.Credentials.Secret == "" {
+			return nil, fmt.Errorf("client %q has no secret", c.Credentials.ID)
+		}
 		dec, err := base64.URLEncoding.DecodeString(c.Credentials.Secret)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("client secrets must be base64 decodable. See issue #337. Please consider replacing %q with %q",
+				c.Credentials.Secret, base64.URLEncoding.EncodeToString([]byte(c.Credentials.Secret)))
 		}
 		cm, err := newClientIdentityModel(c.Credentials.ID, dec, &c.Metadata)
 		if err != nil {
diff --git a/db/user.go b/db/user.go
index 8ac04c83..00991668 100644
--- a/db/user.go
+++ b/db/user.go
@@ -451,6 +451,12 @@ func (u *userModel) user() (user.User, error) {
 }
 
 func newUserModel(u *user.User) (*userModel, error) {
+	if u.ID == "" {
+		return nil, fmt.Errorf("user is missing ID field")
+	}
+	if u.Email == "" {
+		return nil, fmt.Errorf("user %s is missing email field", u.ID)
+	}
 	um := userModel{
 		ID:            u.ID,
 		DisplayName:   u.DisplayName,