<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
"Policy evaluation failed for this request" Error When Logging Into OpenID Connect App via a Custom Authorization Server
Feb 26, 2026
API Access Management
Okta Classic Engine
Okta Identity Engine
Overview

When a user tries to get tokens from a custom authorization server, the following error might appear:

 

 Policy evaluation failed for this request, please check the policy configurations.

 

Error

 

In the Okta system logs, the following error can be seen:

 

FAILURE: no_matching_policy

 

Okta Error

This error is returned to the application's callback route (the redirect_uri included in the /authorize request) and prevents the user from successfully logging in.

Applies To
  • OpenID Connect application
  • Custom Authorization Server
  • Access Policies
  • Access Rules
Cause

This error can happen for a few reasons when setting up a new custom authorization server or configuring an existing one:

  • The Custom Authorization Server lacks an appropriate Access Policy and Rule:
    Example Authorization Server 
  • An existing Access Policy or Rule is Inactive:
    Access Policy Rule 
  • The client applications are not assigned to the existing Access Policy.

Access Policy

  • The Grant Type used by the application is not accounted for in any of the Policy Rules:
    Grant Type       Rule 

For an application to get tokens from a custom authorization server, it must be assigned to an active policy with a rule that matches the grant type and permits the token request.

Solution

To fix this, ensure that an Access Policy and its corresponding Access Rule are correctly configured for the custom authorization server, and that the application is assigned to the policy.

  1. Create an Access Policy for the custom authorization server.
  2. Create an Access Policy Rule within that policy.
  3. Ensure that the Access Policy and Rule are Active.
  4. Assign the client application(s) to the new Access Policy so they can use the authorization server.
  5. Check the Grant types used by the app and make sure they are accounted for in the Access Policy Rules. Check the Implement authorization by grant type documentation for more details.
                     

 

To identify the flow used by the app during a policy error, review the failure events within the System Logs. Clicking Expand all for that failure event will show an item labelled ResponseType under System > DebugContext > DebugData, as shown below. This response type may be a combination of multiple grant types (particularly code, token, and id_token). The combination indicates the flow being used by the application. Check the OAuth 2.0 and OpenID Connect overview documentation for more details.Response Type

 

Related References

Recommended content

Still looking for help?
Loading
"Policy evaluation failed for this request" Error When Logging Into OpenID Connect App via a Custom Authorization Server