A method carried out by a controller is disclosed. The method includes receiving (s10) a message including a request token. A request token is a value used by a consumer (300) to request authorization from a user to access protected resources from a service provider (400). A service provider (400) is at least one of a software application and web site that is configured to provide access to protected resources. A consumer {300} is at least one of a software application and a web site that is configured to access a service provider (400) on behalf of a user. The method further includes determining (s20) whether the message meets policy settings governing the access to protected resources; and, if it is determined (s30) that the message does not meet the policy settings, preventing (s34) the request token from being forwarded to the service provider (400) associated with the request token.