PingAuthorize

Denied Reason

Use denied-reason to allow a policy writer to provide an error message that contains the reason for denying a request.

Description Details

Applicable to

DENY decisions

The Denied Reason statement only applies to SCIM searches using the optimized search response authorization mode.

Additional information

The payload for Denied Reason statements is a JSON object string with the following fields:

  • status – Contains the HTTP status code returned to the client. If this field is absent, the default status is 403 Forbidden.

  • message – Contains a short error message returned to the client.

  • detail (optional) – Contains additional, more detailed error information.

The following example shows a possible response for a request made with insufficient scope\{"status":403, "message":"insufficient_scope", "detail":"Requested operation not allowed by the granted OAuth scopes."}