Okta failing "Policy evaluation failed for this request, please check the policy configurations"


#1

Hello Everyone,

I have “mod_auth_oidc” dependencies installed on apache that is acting as OIDC Client and registered with Okta API Custom Authz. server. My Apache Web server acting as OIDC relying party before it redirects the user to actual application that is running in the backend.

When my OIDC client(Apache Web server) is configured with all the list of scopes I defined in Authz Server, It is failing with “Policy evaluation failed for this request, please check the policy configurations”. It works only when the Apache OIDC client requesting the exact list of scopes assigned to the user profile.

Can Okta return only authorized scopes even though client requested more scopes instead of completely redirecting to error message?

Thanks,
Nav


#2

Can Okta return only authorized scopes even though client requested more scopes instead of completely redirecting to error message?

Good question. Today, it’s not possible. The current behavior is that Okta is very strict about what scopes the client requests, so if the client can’t request any scopes that are not allowed or not available.

Supporting these “downscoping” requests is on our roadmap, but it won’t be available for a little while. Sorry!


#3

We recently came across the similar requirement again. But It seems like we still have same behavior of requesting same exact list of scopes from OIDC client.

Any suggestions how can we support this downscoping scenario with current state of Okta or any ETA on this enhancement timelines?

Thank you in advance.


#4

Hey @nate.barbettini,

Any suggestions around this?

Thank you.


#5

Workaround: you could get an id_token and get all the scopes that the user is allowed to in a claim. Then use that claim to request an access token. @Nav @nate.barbettini