How to investigate for login errors


With the dashboard and reports provided by Okta we’ve seen that there are many error reported of this type: “Failed to evaluate claim for OAuth2 token for user ******* with client ****** and authorization server ***** due to reason: user_claim_evaluation_failure”

How can we investigate to resolve those issues?
In which part of the login flow this errors could be generated and for what reason?

How does the claim expression look in the authorization server?

Hi, this is the claim expressions we have defined:

does app.clientId expression evaluate correctly?

I hope so…that are the default expression Okta create itself.
We add the claims for organization, lastName and firstName…

Hi @valerio.cupelloni

The claim evaluation failure usually occurs from the authorization server not being able to retrieve a specific value in a claim.

Based on the screenshot provided, can you please check that the apps that are using the custom authorization server all have “name”, “userName” and “email” in the application profile available under Directory >> Profile Editor >> your application >> Profile >> Variable Name column?

If they do and you are not able to find the culprit, please feel free to open a support ticket with us at and one of our Developer Support engineers will further assist you.

I’ve checked the user profile for a specific application (that appears often in the reports) and it doesn’t have the “organization” attribute.

I’ve fix it and now I’ll wait for the result in the next days.

I’ll let you know,
Thank you!