<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Okta Default Custom Auth Server No Longer Includes a Default API Access Policy - Error "FAILURE: no_matching_policy"

API Access Management
Okta Identity Engine

Overview

Access issues with newly provisioned orgs might appear if running sample apps using an Okta SDK or implementing Quickstart guides. These SDKs and guides typically reference the default custom authorization server to mint access tokens. Orgs provisioned with the ability to use custom authorization servers before the 2024.08.0 release can continue using the default custom auth server without needing to make any changes.

For all newer orgs, users may see the following error when attempting to sign in, with a corresponding error appearing in the system log:

You are not allowed to access this app. To request access, contact an admin.

Error Message

 

OAuth2 authorization request FAILURE: no_matching_policy

Syslog error

 

Applies To

  • API Access Management
  • Default Custom Authorization Server Access Policy
  • OAuth 2.0
  • Okta Identity Engine (OIE)

Cause

As of the 2024.08.0 release, all newly provisioned orgs, including those available from the developer.okta.com sign-up page, are no longer provisioned with a pre-set Access Policy on the "default" Custom Authorization Server.

Solution

To resolve this issue, determine which authorization server your application should use:

If the use case requires the default Custom Authorization Server:

  1. Navigate to the default Custom Auth Server in the Okta Admin Console.

  2. Add a new API Access Policy (see Create access policies).

  3. Check the policy rules to verify that they apply correctly to the specific use case.

If the use case requires the Org Authorization Server:

  1. Locate the issuer reference in the sample SDK or Quickstart guide.

  2. Update the issuer URI to point to the Org Authorization server.

    • Change issuer: 'https://<OktaDomain>/oauth2/default' to issuer: 'https://<OktaDomain>/'

 

NOTE: The following article indicates which use cases/functionality is supported by each Authorization Server type:

Related References

Loading
Okta Support - Okta Default Custom Auth Server No Longer Includes a Default API Access Policy - Error "FAILURE: no_matching_policy"