Error cases
The following topic discusses troubleshooting possible error cases and solutions.
Consent Service is unavailable
If the Consent Service is unavailable, check the following:
-
Ensure that the service is enabled and that communication with the service is available.
-
Confirm that the service account for the Consent Service has been properly provisioned.
-
If the Consent Service resides on a PingDirectoryProxy server, make sure that the service account exists on the PingDirectoryProxy server and all PingDirectory servers behind the PingDirectoryProxy server.
Requester lacks sufficient rights to perform operation
A request might be rejected with a 403 for the following reasons:
-
The bearer token does not contain a required scope. Check the
privileged-consent-scope
andunprivileged-consent-scope
properties of the Consent Service configuration. -
The bearer token does not contain a required
audience
claim. Check theaudience
property of the Consent Service configuration. -
Authentication was successful, but the requester is
unprivileged
and attempted to perform an operation that only aprivileged
requester can perform. For example, the requester attempted to act upon a consent record that it does not own, or it attempted to delete a consent record.
When using basic authentication, the requester must be listed in the Consent Service configuration service-account-dn
property to be considered privileged
.
Subject and actor do not match
Only a privileged
requester can create
or modify
a consent record whose subject
and actor
values do not match.