diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js
index e7c93067d..2cdcc3499 100644
--- a/lib/web/auth/oauth2/index.js
+++ b/lib/web/auth/oauth2/index.js
@@ -75,7 +75,13 @@ function checkAuthorization (data, done) {
       logger.error('oauth2: "accessRole" is configured, but "rolesClaim" is missing from the config. Can\'t check group membership!')
     } else {
       // parse and check role data
-      const roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
+      let roles = []
+      try {
+        roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
+      } catch (err) {
+        logger.warn(`oauth2: failed to extract rolesClaim '${config.oauth2.rolesClaim}' from user profile.`)
+        return done('Permission denied', null)
+      }
       if (!roles) {
         logger.error('oauth2: "accessRole" is configured, but user profile doesn\'t contain roles attribute. Permission denied')
         return done('Permission denied', null)