Troubleshooting the "access_denied" Error

Last Updated: Aug 9, 2024

Overview

This article explains why the following error occurs when an application reaches the end of a flow and provides steps for resolution:

access_denied

Applies To

  • Troubleshooting
  • access_denied error

Cause

The access_denied error occurs when Auth0 cannot issue a token, meaning authorization is refused. This error can stem from various sources.

The error_description parameter in the response typically provides specific details about the cause. Examples of error_description values include:

  • Service not found: […some invalid audience provided in the token request…]
  • User has canceled the interaction.

Custom Rules or Actions configured within Auth0 are common triggers for access_denied errors. These scenarios include:

  • Rules or Actions explicitly denying access:
    • A Rule can be coded to return a callback that directly denies login, leading to this error. For example:
function(user, context, callback) {

  // if user_metadata is not defined, this will cause a 
  // runtime error
  const favorite_color = user.user_metadata.favorite_color;
  [...]
}

Similarly, an Action can explicitly deny access using api.access.deny() like below:

exports.onExecutePostLogin = async (event, api) => {
  api.access.deny("You can't log in");
};

In both these scenarios, the resulting error_description parameter will typically contain the message: You can’t log in

Uncaught errors in Rules or Actions:

  • Runtime errors that occur within the execution of a Rule or Action, if not caught and handled, also lead to access_denied errors.
  • For example, consider a Rule that attempts to read a property from an object that is undefined :
function(user, context, callback) {
  if (someCondition()) {
    return callback("You can't log in");
  }
  [...]
}
    • If user.user_metadata is indeed undefined when this Rule executes, a runtime error occurs.
    • This runtime error is then surfaced as an access_denied error, and the error_description parameter will reflect the specific details of the runtime error:
      Can’t access property “favorite_color” of undefined
  • Supplying an incorrect CLIENT_SECRET can result in an access_denied error.

Solution

For a demonstration of this issue, refer to the following video.

To troubleshoot the error:

  1. Review the configuration and implementation of any relevant Auth0 Actions.
  2. Verify that the correct CLIENT_SECRET is used during the authentication process.

NOTE: When using Auth0 Rules, if a Rule’s callback function returns a new UnauthorizedError("some message") object, the system generates an unauthorized error, rather than an access_denied error. For example, a Rule configured as follows:


function(user, context, callback) {
  if (someCondition()) {
    return callback(new UnauthorizedError("You can't log in"));
  }
  // [...]
}

Will produce the following error details:

error=unauthorized 
error_description=You can't log in
8 Likes