This article addresses an issue where a 403 error is returned when setting up an Enterprise Connection with Okta Workforce, even after correct configuration. A user can sign in to Okta, but upon redirection to Auth0, the following error occurs:

{
  ...
  "type": "f",
  "description": "expected 200 OK, got: 403 Forbidden",
  ...
  "error": {
    "message": "expected 200 OK, got: 403 Forbidden",
    "oauthError": "access_denied",
    "type": "oauth-authorization"
  },
  ...
}

• Okta Workforce
• OpenID Connect (OIDC) Connection
• Enterprise Connection
• 403 Forbidden Error

A 403 error from Okta's /oauth2/v1/token endpoint is often related to IP blocklists. The issue is likely caused by Okta blocking access to this endpoint due to a regional restriction, as the block is not originating from Auth0's infrastructure. These restrictions may also affect the Okta Domain or other endpoints.

This issue originates from Okta and cannot be resolved within Auth0.

1. Raise a ticket with Okta Support.

2. Request that they confirm if traffic from the specific location where the Auth0 tenant is hosted is being blocked.

3. Request that the block be removed.