Why am I getting an access_denied error?

Question:

My application is getting an access_denied error at the end of the flow. Why is that?

Answer:

access_denied happens when Auth0 can’t issue a token (Auth0 refuses the authorization). It can happen for many reasons, and the error_description parameter usually provides a useful hint.

E.g.

Service not found: […some invalid audience provided in the token request…]

User has canceled the interaction.

The most common source of these errors, however, is rules or actions. E.g. if you have A rule like this:

function(user, context, callback) {
  if (someCondition()) {
    return callback("You can't log in");
  }
  [...]
}

This will generate an access_denied error, with error_description=You can't login. Same thing for Actions:

exports.onExecutePostLogin = async (event, api) => {
  api.access.deny("You can't log in");
};

A very common gotcha is that uncaught errors in rules or actions will also generate an access_denied error. E.g. this:

function(user, context, callback) {

  // if user_metadata is not defined, this will cause a 
  // runtime error
  const favorite_color = user.user_metadata.favorite_color;
  [...]
}

The code above will fail if user_metadata is not defined, throwing a Can't access property "favorite_color" of undefined error. This will end up as an access_denied error, with Can't access property "favorite_color" of undefined in the error_description.

So, if you get access_denied, check your rules first!

Note

If you return a new UnauthorizedError("some message") object in the callback, you get unauthorized instead of access_denied as the error.

function(user, context, callback) {
  if (someCondition()) {
    return callback(new UnauthorizedError("You can't log in"));
  }
  [...]
}

This causes:

error=unauthorized
&error_description=You can't log in
6 Likes