Always getting unauthorized error on callback following sample Java Spring examples

I’m trying to get the starter examples working, but every time I try to create accounts, or login using the google/facebook per the examples, it fails. The callback has an error param, I see this in the logs:

 /callback?error=unauthorized&error_description=Access%20denied.&state=nonce%3DE776FDC7E64EF306C81A412D0EBC644C

The logs in the dashboard don’t seem to add anything helpful:

 {
   "date": "2017-06-26T02:31:51.348Z",
   "type": "f",
   "description": "Access denied.",
   "connection": "google-oauth2",
   "connection_id": "con_HpRBMavIeDw440yp",
   "client_id": "yh1aCKMf0-LTaYtNyz5M4pRUlwXCfhEJ",
   "client_name": "Default App",
   "ip": "172.250.251.169",
   "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5)
 AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/58.0.3029.110 Safari/537.36",
   "details": {
     "body": {},
     "qs": {
       "state": "nonce=E776FDC7E64EF306C81A412D0EBC644C",
       "code": "4/uKxNiSx99TwUGl8ldWqKdE45U05dbdZcyiocjNzU5J0",
       "client_id": "yh1aCKMf0-LTaYtNyz5M4pRUlwXCfhEJ",
       "response_type": "code",
       "redirect_uri": "http://localhost:3099/callback",
       "connection": "google-oauth2",
       "sso": "true",
       "scope": "openid user_id name nickname email picture",
       "mfa_requested": false
     },
     "connection": "google-oauth2",
     "error": {
       "message": "Access denied.",
       "oauthError": "unauthorized",
       "type": "oauth-authorization"
     },
     "stats": {
       "loginsCount": 1
     }
   },
   "user_id": "google-oauth2|112356409858219780350",
   "user_name": "alper@goldenratstudios.com",
   "strategy": "google-oauth2",
   "strategy_type": "social",
   "log_id": "49574419589858254662354581349748154613397790277295407138"
 }

A common explanation for the Access denied. error is the use of a rule, in particular, one of the sample rules that allows to deny access based on an email domain whitelist. If you have been experimenting with that rule or similar ones then please ensure that you either update it to only impact the specific connections/users you want to restrict or simply disable it if you don’t need it anymore.

2 Likes

That would seem to be it! Thanks for the help. I’m getting a new error, but I will start a new thread.

That would seem to be it! Thanks for the help. I’m getting a new error, but I will start a new thread.

Even I was facing the same issue. Thanks a lot!!! This should be highlighted as most of the users would getting Access Denied on the early stage of using Auth0.

Even I was facing the same issue. Thanks a lot!!! This should be highlighted as most of the users would getting Access Denied on the early stage of using Auth0.

Thanks for the feedback, I’ll relay this internally.

+1 This was the problem for me.

I’ve gone through the popup introductory tutorial and added this rule (using .example.com for the filter) and forgotten about it when I came to write the auth code. Thanks @jmangelo! :slight_smile: I almost binned auth0 out of frustration.

Thank you!!!

I’ve been following the Angular 2+ client quick start. Spent hours trying to figure out why it wouldn’t work. Thanks for this question and answer if I hadn’t found it I might have spent wasted many more hours.

OMG~ This was it!!

Many of us follow the quickstart tutorial, and create the whitelist rule and forget about it. Either the tutorial needs to be changed, or more descriptive error message would help

It would be sensible for auth0 to amend their tutorial, since it gets you to add a rule as part of the setup process, which then prevents you from being able to use the app at all unless you figure out why this is happening!

@bornoriginal1 and @tom.chambers I know that the change was already implemented, it will now need to be reviewed and deployed so hopefully it will be available soon. In essence, there will be a warning within the tutorial asking to disable the rule after completing the tutorial and calling the attention to the fact that not doing so will likely lead to access denied errors.