When settings up OAuth for the first time, the authentication process might fail with error 403 for the end user after the credentials are validated.

Validated credentials raw log: If credential validation fails, that must be troubleshooted first.

Log Details
Log Record Detail
ID 9157
Timestamp Thu Feb 6 13:04:49 2025
Level information
Action Login
Status Success
Source IP 10.93.20.155
Message [sslvpnuser] has successfully logged in guest portal[nextcloud-lab-portal]
User sslvpnuser
Log Type
Type Id 20604
Name Guest Portal Authentication OK
Sub Category Authentication
Category Event
Description Guest portal authentication request succeed

The error corresponding to the error 403 looks like this in the raw logs:

Log Details
Log Record Detail
ID 9159
Timestamp Thu Feb 6 13:04:49 2025
Level information
Action
Status
Source IP
Message OAuth login failed: invalid_request
User
Log Type
Type Id 20100
Name Authentication Failed
Sub Category Authentication
Category Event
Description Authentication failed (general)

One reason for this error is the Authorization grant type mismatch, Password-based or Authorization code.

2025-02-06 12:04:49,654 debug 27165 140155504080576 Selecting handler for request <oauthlib.openid.connect.core.grant_types.authorization_code.AuthorizationCodeGrant object at 0x7f787cb046d0>.
2025-02-06 12:04:49,657 debug 27165 140155504080576 Validating redirection uri   for client D89AHp2lWHn0123456789HUzzl18MF9Cctj29KAW.
2025-02-06 12:04:49,657 debug 27165 140155504080576 Using provided redirect_uri  

In this example, the Relying party Nextcloud is using by default Authorization code, but the FortiAuthenticator's default is Password-based.

This will result in the failure described above. Both parties need to use the same Authorization grant type. Changing FortiAuthenticator to Authorization code resolves the issue in this example.

Another reason for the error 403, but without or very little OAuth events, can be the OAuth Service not being enabled on the interface.