Skip to main content
kiri
Staff & Editor
kiri
Staff & Editor
February 7, 2025

Technical Tip: How to fix OAuth error 403, OAuth login failed: invalid_request

  • February 7, 2025
  • 0 replies
  • 1483 views
Description This article describes how to fix OAuth authentication server error 403 and OAuth login failed: invalid_request.
Scope FortiTrust Identity and FortiAuthenticator v6.5, v6.6.
Solution

When settings up OAuth for the first time, the authentication process might fail with error 403 for the end user after the credentials are validated.

 

403.png

 

Validated credentials raw log: If credential validation fails, that must be troubleshooted first.

 

Log Details
Log Record Detail
ID 9157
Timestamp Thu Feb 6 13:04:49 2025
Level information
Action Login
Status Success
Source IP 10.93.20.155
Message [sslvpnuser] has successfully logged in guest portal[nextcloud-lab-portal]
User sslvpnuser
Log Type
Type Id 20604
Name Guest Portal Authentication OK
Sub Category Authentication
Category Event
Description Guest portal authentication request succeed

 

The error corresponding to the error 403 looks like this in the raw logs:

 

Log Details
Log Record Detail
ID 9159
Timestamp Thu Feb 6 13:04:49 2025
Level information
Action
Status
Source IP
Message OAuth login failed: invalid_request
User
Log Type
Type Id 20100
Name Authentication Failed
Sub Category Authentication
Category Event
Description Authentication failed (general)

 

One reason for this error is the Authorization grant type mismatch, Password-based or Authorization code.

 

auth.png

 

The REST API debug can also show which Authorization grant type is the Relying party using:

 

2025-02-06 12:04:49,654 debug 27165 140155504080576 Selecting handler for request <oauthlib.openid.connect.core.grant_types.authorization_code.AuthorizationCodeGrant object at 0x7f787cb046d0>.
2025-02-06 12:04:49,657 debug 27165 140155504080576 Validating redirection uri   for client D89AHp2lWHn0123456789HUzzl18MF9Cctj29KAW.
2025-02-06 12:04:49,657 debug 27165 140155504080576 Using provided redirect_uri  

 

In this example, the Relying party Nextcloud is using by default Authorization code, but the FortiAuthenticator's default is Password-based.


This will result in the failure described above. Both parties need to use the same Authorization grant type. Changing FortiAuthenticator to Authorization code resolves the issue in this example.

 

Another reason for the error 403, but without or very little OAuth events, can be the OAuth Service not being enabled on the interface.
    Terms & ConditionsAccessibility statement