When we first noticed this error message we were setting up Sitecore Identity Server with Federated Authentication using Azure AD in our QA environment. Our Content Management server was setup correctly. But because we required users to also log into the Content Delivery server upon accessing the site; that's when we were presented with the error, Sorry, there was an error: unauthorized_client
.
Why Are We Getting The Error?
The reason we're getting the error is remarkably simple. As we're using Sitecore Identity Server, by default it's expecting requests to be made from the Content Management server. Or in the case of a Single Instance, such as a local dev environment, the only instance. There is the chance when setting up the Content Management service, that you also require the ability to access it from multiple domains. Hence why you might never encounter this in a Single Instance environment.
Let's Fix It
There are two steps to resolving this error. One fix involves editing a config file, and the second is somewhat optional depending on how you're accessing the site.
Update Sitecore Identity Server Config
Let's open the file \Config\production\Sitecore.IdentityServer.Host.xml
which is found in the Sitecore Identity Server site root.
Locate the AllowedCorsOrigins
tag. You'll notice that (likely) there is only one url there. You will want to ensure all the domains that need to communicate with the Identity Server are in the line. Separate these by the |
symbol. If your server has multiple urls, each of those needs a separate entry.
In our case, we're in an Azure QA environment with a CM and CD app service. As such, it should look something like this if we need users to log in for CD.
<AllowedCorsOrigins>
<AllowedCorsOriginsGroup1>https://abc-cm.azurewebsites.net|https://abc-cd.azurewebsites.net|</AllowedCorsOriginsGroup1>
</AllowedCorsOrigins>
Once updated, restart your Sitecore Identity Server.
Clear Browser Cookies
Depending on the browser state you may or may not need to do this. While on the Sitecore Identity Server page go into Inspect mode and clear cookies for the page. After that's been completed, navigate back to the original URL you were accessing. This might be the /sitecore/login
page of the Content Management server. You should now see it redirect to the Identity Server without the error.