Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Resource server requests result in 403 (insufficient_access)
See original GitHub issueConfirm you’ve already contributed to this project or that you sponsor it
- I confirm I’m a sponsor or a contributor
Version
3.x
Question
Hello, first off thanks for making this amazing library. I’m running into an issue where my resource server is constantly giving back errors saying insufficient_access.
I get the following log (enabled trace logging):
info: Microsoft.EntityFrameworkCore.Database.Command[20101]
Executed DbCommand (2ms) [Parameters=[@__identifier_0='?' (Size = 4000)], CommandType='Text', CommandTimeout='30']
SELECT TOP(1) [c].[Id], [c].[Name], [c].[TenantIdentifier]
FROM [CRM_Company] AS [c]
WHERE [c].[TenantIdentifier] = @__identifier_0
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessRequestContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+InferIssuerFromHost.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromAuthorizationHeader.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromBodyForm.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromQueryString.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateToken.
trce: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The ASP.NET Core Data Protection token 'CfDJ8OpP9CaZdrhJkH68OTXlDjysdPNz2QHn-sGvfq4CWi8XFygCCaOPUO3an6nR0e5hRgQNglVRf1XDM8WenPn3PlSGu97v3ecOjBXT3O8nU7dRn9WWu18yshJEuflKgGwM9zNpyy7KETAxGSGmhWQl7N103HV47KulgAZavtNvS12m6WfLzCJrfe3N0cuWamr6nKKR6MNSv3g1da4Kxo53EtT2UeKUaCl_I21K-KsOnFwubWpfKzuCELkF4LaM_1qDFObvKKRb3Itl2o8FlDeTJmlEPoBA0G3chi_XuC8L2HjahqkY_mcLHGY15OWfeYuQdDbV9DnpCKscg8Bufj56_lszn2KNHzabkldZIE5lVMC318Vx7-_S5L_nLwv0J69mVkQzmvjX9Sr8oT8YrFNpu6b7IZV9Jd5AeyI6CcyXniGovv14nLA2u6-qYqtsrZCkgx-MJ1hgjrg83ykDTknaxg09bpcZUOBTQusW9JLhcEd0cyyGgykMsSFE271sYoHS1FkPFy8XL_NuFzqMwwwadePE14Fu6WUpUEr_RltsZB-2BSXUohq4fVF2KF8DMgbMSjslBoAQbf8bUvYK-eFKhTaObhATNh7sGf9N6JklwcWaEAq8uKSlVbn25iPRfkrieEU6kecwbMT5uwt94njWYS04-LNzU4WJ9LT9ZfeMWzt9D1Qs5b9p95oY5mBdcobn1LPu_qAjOng3qmwfjJNBpqE' was successfully validated and the following claims could be extracted: sub: 5, email: thom.vandenakker@outlook.com, name: Admin, role: Admin, client_id: mobile-app, oi_prst: mobile-app, oi_scp: openid, oi_scp: profile, oi_scp: email, oi_scp: roles, oi_scp: offline_access, oi_scp: mobile.access, oi_au_id: 874, oi_crt_dt: Thu, 04 Aug 2022 18:15:34 GMT, oi_exp_dt: Thu, 04 Aug 2022 18:18:34 GMT, oi_tkn_id: 857, oi_tkn_typ: access_token.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.DataProtection.OpenIddictValidationDataProtectionHandlers+ValidateDataProtectionToken.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+IntrospectToken.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+NormalizeScopeClaims.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+MapInternalClaims.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidatePrincipal.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateExpirationDate.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateAudience.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+AttachHostChallengeError.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+AttachDefaultChallengeError.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+AttachHttpResponseCode`1[[OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext, OpenIddict.Validation, Version=3.1.1.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+AttachCacheControlHeader`1[[OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext, OpenIddict.Validation, Version=3.1.1.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+AttachWwwAuthenticateHeader`1[[OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext, OpenIddict.Validation, Version=3.1.1.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
info: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The response was successfully returned as a challenge response: {
"error": "insufficient_access",
"error_description": "The user represented by the token is not allowed to perform the requested action.",
"error_uri": "https://documentation.openiddict.com/errors/ID2095"
}.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ProcessChallengeErrorResponse`1[[OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext, OpenIddict.Validation, Version=3.1.1.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was marked as handled by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ProcessChallengeErrorResponse`1[[OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext, OpenIddict.Validation, Version=3.1.1.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
info: OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandler[13]
AuthenticationScheme: OpenIddict.Validation.AspNetCore was forbidden.
I find this strange because my I debugged my authorization policies and the conditions seem to be correct (at least the scope assertion does). I don’t know where this error comes from but it seems to be something that OpenIddict throws (because of the error format).
I’m using the following configuration for: Authorization server: https://gist.github.com/Thodor12/eab711b9e2d5cfbc96616a1e31911945 Resource server: https://gist.github.com/Thodor12/0a4bd83157d3470590e61e0989c56b67 Authorization endpoint: https://gist.github.com/Thodor12/d6d65143e9b19335668525c2b2142ece
I have populated my scopes through code, not in the database, my endpoints use the Authorize attribute like so: [Authorize(Policy = nameof(Scope.Customers))].
I also have a small middleware to unpack the scopes (so that mobile.access is transformed into mobile.access customers etc (mobile.access is a combination of other scopes).
Let me know if you need any more info or see something out of the ordinary, I’m a bit stumped on the problem.
Issue Analytics
- State:
- Created a year ago
- Comments:39 (18 by maintainers)
Top Results From Across the Web
What Is the 403 Forbidden Error and How to Fix It (8 ...
403 Forbidden error message means that the server is unable to authorize a particular request made by a user. What Causes 403 Forbidden?...
Read more >403 Forbidden Error: What Is It & How To Fix It
The HTTP status code '403 forbidden — you don't have permission to access this resource' is displayed when a web server recognizes a...
Read more >Forbidden (403), Unauthorized (401), or What Else?
403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on...
Read more >403 Forbidden Error: What It Is and How to Fix It
The 403 Forbidden Error is an HTTP response status code that indicates an identified client does not have proper authorization to access the...
Read more >HTTP Error 403 Forbidden: What It Means and How to Fix It
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it...If authentication credentials ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Alright, good to know, saves me the trouble of having to throw that certificate around to multiple runtimes, haha. Thanks so much for your help, I’ll close this now.
Ockham would love that 🤣
No problem 😄
Glad I could help! Thanks for sponsoring the project 👍🏻