Sign Up with Social Login

I set up a Custom Social Signup with /api/method/frappe.integrations.oauth2_logins.login_via_oauth2.
I enabled under Website settings signup but I still get the following message:

Not Permitted
You do not have enough permissions to complete the action
Status: 403

To give some context: I tried to login/signup with a user from the IDM which isn’t already created in ERPNext. After the user was authenticated the message was shown.
For me this looks like an authorization issue which could be solved somehow in ERPNext.
From the perspektive of the IDM the access was granted so I guess that this is not the issue.

Does someone know what I need to change? I’m very new to ERPNext

can you share more details about your social login key

you can skip the id and secret when you share here.

if it’s custom social login key the redirect uri has component that comes from social login key name.

example custom login with custom app: GitHub - castlecraft/microsoft_integration: Microsoft Integrations for Frappe Framework

example redirect uri for custom key: /api/method/frappe.integrations.oauth2_logins.custom/{key_name}

I replaced the previous redirect uri with the one you mentioned. Now I get a different error:

Traceback (most recent call last):
  File "apps/frappe/frappe/", line 66, in application
    response = frappe.api.handle()
  File "apps/frappe/frappe/", line 54, in handle
    return frappe.handler.handle()
  File "apps/frappe/frappe/", line 45, in handle
    data = execute_cmd(cmd)
  File "apps/frappe/frappe/", line 83, in execute_cmd
    return, **frappe.form_dict)
  File "apps/frappe/frappe/", line 1607, in call
    return fn(*args, **newargs)
  File "apps/frappe/frappe/integrations/", line 58, in custom
    login_via_oauth2(provider, code, state, decoder=decoder_compat)
  File "apps/frappe/frappe/utils/", line 115, in login_via_oauth2
    info = get_info_via_oauth(provider, code, decoder)
  File "apps/frappe/frappe/utils/", line 143, in get_info_via_oauth
    session = flow.get_auth_session(**args)
  File "env/lib/python3.10/site-packages/rauth/", line 556, in get_auth_session
    session = self.get_session(self.get_access_token(method, **kwargs))
  File "env/lib/python3.10/site-packages/rauth/", line 542, in get_access_token
    access_token, = process_token_request(r, decoder, key)
  File "env/lib/python3.10/site-packages/rauth/", line 20, in process_token_request
    data = decoder(r.content)
  File "apps/frappe/frappe/integrations/", line 63, in decoder_compat
    return json.loads(bytes(b).decode("utf-8"))
  File "/usr/local/lib/python3.10/json/", line 346, in loads
    return _default_decoder.decode(s)
  File "/usr/local/lib/python3.10/json/", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/local/lib/python3.10/json/", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

I’m using the authentik provider

Base URL:
Authorize URL: /application/o/authorize/
Access Token URL: /application/o/token/
Redirect URL: /api/method/frappe.integrations.oauth2_logins.custom/authentik
API Endpoint:
Auth URL Data: {"scope": "openid profile email", "response_type": "code"}

On the Authentik side i use as redirect url:

This page is the redirect endpoint where you get the error?

Do you see ?state=xyz&code=pqr appended to the url params?

If you see these params then we need to debug the code exchange request and response.

That response is either non 200 or non-json.

The code exchange request is made here frappe/ at 090c91b44fb116c28d52e440599d9e95d4d00b21 · frappe/frappe · GitHub

yes i see:

can you give me access to authentik test setup somewhere? I’ll debug locally the responses and check.

for authentik make sure you’ve a trailing / on token endpoint e.g. /application/o/token/

without it the endpoint returns 301 redirect which is not expected by token request made by frappe.

yes i do have the same problem and the trailing / is there what can i do now, i can create an authentik instance for trail purpose if need for u