Okta User Receives "403 Access Forbidden" Error When Logging In
Last Updated:
Overview
An end user receives a 403 Access Forbidden error when attempting to access Okta due to unmet policy requirements, network zone restrictions, ThreatInsight restrictions, or an expired state token. The user observes the following error message during the login attempt:
403 Access Forbidden
To resolve this issue, review authentication policies, sign-on policies, and network zones to ensure the user meets access requirements.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Authentication Policy
- Sign-on Policy
- Network Zone
- ThreatInsight
- State Token
Cause
The 403 Access Forbidden error indicates that the user cannot access the page. This error can occur for several reasons:
- The user does not meet the Sign-on Policy requirements that apply to them.
- The user attempts to access the tenant from an IP address that a Network Zone blocks.
- ThreatInsight blocks access.
- The user accesses the integrated application, opens a new browser tab, stays in the new tab for more than 5 minutes, then returns to the original tab to access the integrated application. The current state token expiration time is 5 minutes.
Solution
How is the "403 Access Forbidden" error resolved?
To resolve the 403 Access Forbidden error, review the authentication policies, sign-on policies, and network zones to ensure the user meets the access requirements and that network zones do not block the user.
- Review the Authentication or Sign-on Policies that apply to the user and ensure the user meets the access requirements.
- Review the configured Network Zones to ensure that the network zone does not block the user's IP address.
- Review "403 Access Forbidden" when Navigating to the Login Page.
Related References
- "403 Access Forbidden" when Navigating to the Login Page
- iCloud Private Relay Authentication is Blocked by Dynamic Network Zone
- When Accessing the Admin Dashboard a 403 Error Appears
- 403 Access Forbidden on Okta Login from iOS Mobile Devices
- Authentication policies
- Sign-on policies
- Network zones
- State Token
