diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go
index 3cfc68f39..1e94b211b 100644
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@@ -213,27 +213,17 @@ func getClaimsFromToken(token string) (map[string]interface{}, error) {
 		return nil, errAuthentication
 	}
 
-	if globalPolicyOPA == nil {
-		// If OPA is not set and if ldap claim key is set, allow the claim.
-		if _, ok := claims.MapClaims[ldapUser]; ok {
-			return claims.Map(), nil
-		}
+	// If OPA is set, return without any further checks.
+	if globalPolicyOPA != nil {
+		return claims.Map(), nil
+	}
 
-		// If OPA is not set, session token should
-		// have a policy and its mandatory, reject
-		// requests without policy claim.
-		_, pokOpenID := claims.MapClaims[iamPolicyClaimNameOpenID()]
-		_, pokSA := claims.MapClaims[iamPolicyClaimNameSA()]
-		if !pokOpenID && !pokSA {
-			return nil, errAuthentication
-		}
-
-		sp, spok := claims.Lookup(iampolicy.SessionPolicyName)
-		if !spok {
-			return claims.Map(), nil
-		}
+	// Check if a session policy is set. If so, decode it here.
+	sp, spok := claims.Lookup(iampolicy.SessionPolicyName)
+	if spok {
 		// Looks like subpolicy is set and is a string, if set then its
-		// base64 encoded, decode it. Decoding fails reject such requests.
+		// base64 encoded, decode it. Decoding fails reject such
+		// requests.
 		spBytes, err := base64.StdEncoding.DecodeString(sp)
 		if err != nil {
 			// Base64 decoding fails, we should log to indicate
@@ -244,6 +234,19 @@ func getClaimsFromToken(token string) (map[string]interface{}, error) {
 		claims.MapClaims[iampolicy.SessionPolicyName] = string(spBytes)
 	}
 
+	// If LDAP claim key is set, return here.
+	if _, ok := claims.MapClaims[ldapUser]; ok {
+		return claims.Map(), nil
+	}
+
+	// Session token must have a policy, reject requests without policy
+	// claim.
+	_, pokOpenID := claims.MapClaims[iamPolicyClaimNameOpenID()]
+	_, pokSA := claims.MapClaims[iamPolicyClaimNameSA()]
+	if !pokOpenID && !pokSA {
+		return nil, errAuthentication
+	}
+
 	return claims.Map(), nil
 }
 
diff --git a/cmd/iam.go b/cmd/iam.go
index 2f296c37a..54ef43c1b 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -2353,13 +2353,6 @@ func isAllowedBySessionPolicy(args iampolicy.Args) (hasSessionPolicy bool, isAll
 		return
 	}
 
-	policyBytes, err := base64.StdEncoding.DecodeString(spolicyStr)
-	if err != nil {
-		// Got a malformed base64 string
-		return
-	}
-	spolicyStr = string(policyBytes)
-
 	// Check if policy is parseable.
 	subPolicy, err := iampolicy.ParseConfig(bytes.NewReader([]byte(spolicyStr)))
 	if err != nil {