How To Resolve The "unauthorized_client" Error Message In Sitecore

August 9, 2021

By David Austin

When we first noticed this error message we were setting up Sitecore Identity Server with Federated Authentication using Azure AD in our QA environment. Our Content Management server was setup correctly. But because we required users to also log into the Content Delivery server upon accessing the site; that's when we were presented with the error, Sorry, there was an error: unauthorized_client.

Example of the error message:

Why Are We Getting The Error?

The reason we're getting the error is remarkably simple. As we're using Sitecore Identity Server, by default it's expecting requests to be made from the Content Management server. Or in the case of a Single Instance, such as a local dev environment, the only instance. There is the chance when setting up the Content Management service, that you also require the ability to access it from multiple domains. Hence why you might never encounter this in a Single Instance environment.

Let's Fix It

There are two steps to resolving this error. One fix involves editing a config file, and the second is somewhat optional depending on how you're accessing the site.

Update Sitecore Identity Server Config

Let's open the file \Config\production\Sitecore.IdentityServer.Host.xml which is found in the Sitecore Identity Server site root.

Locate the AllowedCorsOrigins tag. You'll notice that (likely) there is only one url there. You will want to ensure all the domains that need to communicate with the Identity Server are in the line. Separate these by the | symbol. If your server has multiple urls, each of those needs a separate entry.

In our case, we're in an Azure QA environment with a CM and CD app service. As such, it should look something like this if we need users to log in for CD.


<AllowedCorsOrigins>
  <AllowedCorsOriginsGroup1>https://abc-cm.azurewebsites.net|https://abc-cd.azurewebsites.net|</AllowedCorsOriginsGroup1>
</AllowedCorsOrigins>

Once updated, restart your Sitecore Identity Server.

Clear Browser Cookies

Depending on the browser state you may or may not need to do this. While on the Sitecore Identity Server page go into Inspect mode and clear cookies for the page. After that's been completed, navigate back to the original URL you were accessing. This might be the /sitecore/login page of the Content Management server. You should now see it redirect to the Identity Server without the error.

Image of Fishtank employee David Austin

David Austin

Development Team Lead | Sitecore Technology MVP x 3

David is a decorated Development Team Lead with Sitecore Technology MVP and Coveo MVP awards, as well as Sitecore CDP & Personalize Certified. He's worked in IT for 25 years; everything ranging from Developer to Business Analyst to Group Lead helping manage everything from Intranet and Internet sites to facility management and application support. David is a dedicated family man who loves to spend time with his girls. He's also an avid photographer and loves to explore new places.