diff --git a/app/controllers/OpenID.controller.js b/app/controllers/OpenID.controller.js
index 528ba70..8c4864e 100644
--- a/app/controllers/OpenID.controller.js
+++ b/app/controllers/OpenID.controller.js
@@ -119,8 +119,6 @@ class OpenIDController extends Controller {
             uid, prompt, params, session,
         } = await this.openid_connect.provider.interactionDetails(req, res)
 
-        console.log({uid, prompt, params, session})
-
         const name = prompt.name
         if ( typeof this[name] !== 'function' ) {
             return this.fail(res, 'Sorry, something has gone wrong.')
diff --git a/app/controllers/auth/Oauth2.controller.js b/app/controllers/auth/Oauth2.controller.js
index 6c1967e..f60b109 100644
--- a/app/controllers/auth/Oauth2.controller.js
+++ b/app/controllers/auth/Oauth2.controller.js
@@ -18,6 +18,24 @@ class Oauth2 extends Oauth2Controller {
         const StarshipClient = this.models.get('oauth:Client')
         const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })
 
+        // Make sure the user has IAM access before proceeding
+        const Application = this.models.get('Application')
+        const Policy = this.models.get('iam:Policy')
+        const application = await Application.findOne({ oauth_client_ids: starship_client.id })
+        if ( !application ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        }
+
         req.user.authorize(starship_client)
         await req.user.save()
         return super.authorize_post(req, res, next)
@@ -31,6 +49,24 @@ class Oauth2 extends Oauth2Controller {
         const StarshipClient = this.models.get('oauth:Client')
         const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })
 
+        // Make sure the user has IAM access before proceeding
+        const Application = this.models.get('Application')
+        const Policy = this.models.get('iam:Policy')
+        const application = await Application.findOne({ oauth_client_ids: starship_client.id })
+        if ( !application ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        }
+
         if ( req.user.has_authorized(starship_client) ) {
             return this.Vue.invoke_action(res, {
                 text: 'Grant Access',