Last Updated: Aug 9, 2024
Overview
An application is getting an access_denied error at the end of the flow.
This article details why this is happening.
Applies To
- Troubleshooting
- access_denied error
Cause
access_denied happens when Auth0 cannot issue a token (Auth0 refuses the authorization). It can happen for many reasons and the error_description parameter usually provides a useful hint.
E.g.
Service not found: […some invalid audience provided in the token request…]
User has canceled the interaction.
The most common source of these errors, however, is rules or actions. E.g., if there is a rule like this:
function(user, context, callback) {
if (someCondition()) {
return callback("You can't log in");
}
[...]
}
This will generate an access_denied error, with “error_description=You can’t login .” Same thing for Actions:
exports.onExecutePostLogin = async (event, api) => {
api.access.deny("You can't log in");
};
A common issue is that uncaught errors in rules or actions will also generate an access_denied error. For example:
function(user, context, callback) {
// if user_metadata is not defined, this will cause a
// runtime error
const favorite_color = user.user_metadata.favorite_color;
[...]
}
The code above will fail if user_metadata is not defined, throwing the error:
Can’t access property “favorite_color” of undefined.
This will end up as an access_denied error, with Can’t access property “favorite_color” of undefined in the error_description.
Solution
For a demonstration of this issue, refer to the following video.
If receiving an access_denied error, first check the rules. Another possible reason is that an incorrect CLIENT_SECRET is passed in.
NOTE: If returning a new UnauthorizedError(“some message”) object in the callback, the result will be an unauthorized instead of access_denied as the error.
function(user, context, callback) {
if (someCondition()) {
return callback(new UnauthorizedError("You can't log in"));
}
[...]
}
This causes:
error=unauthorized
&error_description=You can't log in