OIDC Authorization Error: "error=access_denied&error_description=User+is+not+authorized"
Article ID: 440978
Updated On:
Products
Issue/Introduction
When attempting an OIDC authorization flow (e.g., calling the /authorize endpoint), the user is redirected to the redirect_uri with the following error after successfully entering credentials and providing consent:
error=access_denied&error_description=User+is+not+authorized
Log Observations
Policy Server Trace Log (smtracedefault.log): The logs show a successful authentication (AuthAccept) followed by an authorization failure during the OIDC provider check:
Access Log (smaccess.log):
Environment
Policy Server: All versions
Cause
The issue is caused by the user directory configuration within the OIDC Provider settings.
In SiteMinder OIDC configurations, the Authentication and Authorization section of the Provider setup requires a user directory to be mapped. Even if the user is successfully authenticated by a separate authentication scheme, they must also be authorized against the user directory configured in the Provider. If the user is missing from that directory, or if an Exclusion filter is applied that includes the user, the Policy Server will return a "Not Authorized" status.
Resolution
To resolve this issue, ensure the user directory is correctly configured to authorize the impacted users:
- Log in to the Administrative UI.
- Navigate to Federation > Partnership Federation > OIDC Providers.
- Open the specific Provider configuration used by the client.
- Go to the Authentication and Authorization section (or tab).
- Verify that the User Directory containing your test users is added to the list.
- Check for any Exclusions:
- Ensure the specific user or group is not explicitly excluded.
- If using filters, verify that the filter correctly evaluates the user's attributes.
- Save the configuration and allow time for the Policy Server to update its cache (or flush the cache manually).
- Re-test the authorization flow.
Feedback
