Last Updated: Aug 9, 2024
Overview
This article explains why the following error occurs when an application reaches the end of a flow and provides steps for resolution:
access_denied
Applies To
- Troubleshooting
- access_denied error
Cause
The access_denied error occurs when Auth0 cannot issue a token, meaning authorization is refused. This error can stem from various sources.
The error_description
parameter in the response typically provides specific details about the cause. Examples of error_description
values include:
- Service not found: […some invalid audience provided in the token request…]
- User has canceled the interaction.
Custom Rules or Actions configured within Auth0 are common triggers for access_denied errors. These scenarios include:
- Rules or Actions explicitly denying access:
- A Rule can be coded to
return
acallback
that directly denies login, leading to this error. For example:
- A Rule can be coded to
function(user, context, callback) {
// if user_metadata is not defined, this will cause a
// runtime error
const favorite_color = user.user_metadata.favorite_color;
[...]
}
Similarly, an Action can explicitly deny access using api.access.deny()
like below:
exports.onExecutePostLogin = async (event, api) => {
api.access.deny("You can't log in");
};
In both these scenarios, the resulting error_description
parameter will typically contain the message: You can’t log in
Uncaught errors in Rules or Actions:
- Runtime errors that occur within the execution of a Rule or Action, if not caught and handled, also lead to access_denied errors.
- For example, consider a Rule that attempts to read a property from an object that is
undefined
:
function(user, context, callback) {
if (someCondition()) {
return callback("You can't log in");
}
[...]
}
-
- If
user.user_metadata
is indeedundefined
when this Rule executes, a runtime error occurs. - This runtime error is then surfaced as an access_denied error, and the
error_description
parameter will reflect the specific details of the runtime error:
Can’t access property “favorite_color” of undefined
- If
- Supplying an incorrect
CLIENT_SECRET
can result in an access_denied error.
Solution
For a demonstration of this issue, refer to the following video.
To troubleshoot the error:
- Review the configuration and implementation of any relevant Auth0 Actions.
- Verify that the correct
CLIENT_SECRET
is used during the authentication process.
NOTE: When using Auth0 Rules, if a Rule’s callback function returns a new UnauthorizedError("some message")
object, the system generates an unauthorized error, rather than an access_denied error. For example, a Rule configured as follows:
function(user, context, callback) {
if (someCondition()) {
return callback(new UnauthorizedError("You can't log in"));
}
// [...]
}
Will produce the following error details:
error=unauthorized
error_description=You can't log in