diff --git a/examples/msal-go/token_credential.go b/examples/msal-go/token_credential.go
index b5598454f..ee7a0c438 100644
--- a/examples/msal-go/token_credential.go
+++ b/examples/msal-go/token_credential.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"net/url"
 	"os"
 	"time"
 
@@ -37,7 +38,12 @@ func newClientAssertionCredential(tenantID, clientID, authorityHost, file string
 		},
 	)
 
-	client, err := confidential.New(fmt.Sprintf("%s%s/oauth2/token", authorityHost, tenantID), clientID, cred)
+	authority, err := url.JoinPath(authorityHost, tenantID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to construct authority URL: %w", err)
+	}
+
+	client, err := confidential.New(authority, clientID, cred)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create confidential client: %w", err)
 	}
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
index c1d45a9e4..d79f93a77 100644
--- a/pkg/proxy/proxy.go
+++ b/pkg/proxy/proxy.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"os"
 	"strconv"
 	"strings"
@@ -197,8 +198,12 @@ func doTokenRequest(ctx context.Context, clientID, resource, tenantID, authority
 	cred := confidential.NewCredFromAssertionCallback(func(context.Context, confidential.AssertionRequestOptions) (string, error) {
 		return readJWTFromFS(tokenFilePath)
 	})
+	authority, err := url.JoinPath(authorityHost, tenantID)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to construct authority URL")
+	}
 
-	confidentialClientApp, err := confidential.New(fmt.Sprintf("%s%s/oauth2/token", authorityHost, tenantID), clientID, cred)
+	confidentialClientApp, err := confidential.New(authority, clientID, cred)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create confidential client app")
 	}