diff --git a/middleware/auth.js b/middleware/auth.js
index 651342b2..78380dc4 100644
--- a/middleware/auth.js
+++ b/middleware/auth.js
@@ -23,7 +23,7 @@ const enforceLeadingSlash = (path) => {
 const auth = function (params) {
   const config = getConfig(params);
   debug('configuration object processed, resulting configuration: %O', config);
-  const router = new express.Router();
+  const router = new express();
   const transient = new TransientCookieHandler(config);
 
   router.use(appSession(config));
diff --git a/test/login.tests.js b/test/login.tests.js
index 44655bc2..dc4c89ec 100644
--- a/test/login.tests.js
+++ b/test/login.tests.js
@@ -63,10 +63,10 @@ describe('auth', () => {
   it('should contain the default authentication routes', async () => {
     const router = auth(defaultConfig);
     server = await createServer(router);
-    assert.ok(router.stack.some(filterRoute('GET', '/login')));
-    assert.ok(router.stack.some(filterRoute('GET', '/logout')));
-    assert.ok(router.stack.some(filterRoute('POST', '/callback')));
-    assert.ok(router.stack.some(filterRoute('GET', '/callback')));
+    assert.ok(router._router.stack.some(filterRoute('GET', '/login')));
+    assert.ok(router._router.stack.some(filterRoute('GET', '/logout')));
+    assert.ok(router._router.stack.some(filterRoute('POST', '/callback')));
+    assert.ok(router._router.stack.some(filterRoute('GET', '/callback')));
   });
 
   it('should contain custom authentication routes', async () => {
@@ -79,10 +79,14 @@ describe('auth', () => {
       },
     });
     server = await createServer(router);
-    assert.ok(router.stack.some(filterRoute('GET', '/custom-login')));
-    assert.ok(router.stack.some(filterRoute('GET', '/custom-logout')));
-    assert.ok(router.stack.some(filterRoute('POST', '/custom-callback')));
-    assert.ok(router.stack.some(filterRoute('GET', '/custom-callback')));
+    assert.ok(router._router.stack.some(filterRoute('GET', '/custom-login')));
+    assert.ok(router._router.stack.some(filterRoute('GET', '/custom-logout')));
+    assert.ok(
+      router._router.stack.some(filterRoute('POST', '/custom-callback'))
+    );
+    assert.ok(
+      router._router.stack.some(filterRoute('GET', '/custom-callback'))
+    );
   });
 
   it('should redirect to the authorize url for /login', async () => {