When you are setting up a fresh instance of Sitecore 9.1 or later, there is nothing more frustrating than completing a long Sitecore Installation Framework (SIF) process only to be greeted by a cryptic error on your first login attempt. The Sitecore Identity Server unauthorized_client error is a common roadblock for developers, often appearing right after the redirect from the CMS to the Identity login page.

This error occurs because Sitecore Identity Server, which is built on IdentityServer4, is highly sensitive to security configurations. It acts as a gatekeeper, and if it doesn't explicitly recognize the URL you are trying to log in from, it will deny the request to protect your application. In this guide, you will learn exactly how to diagnose this issue, modify your configuration files, and ensure your Cross-Origin Resource Sharing (CORS) settings are perfectly aligned with your local environment.

Error Message

Understanding the Identity Server unauthorized_client Error

Starting with Sitecore 9.1, Sitecore moved away from the legacy ASP.NET membership provider for its primary authentication mechanism, introducing a standalone Identity Server. This server is a separate .NET Core application that handles authentication via OpenID Connect and OAuth2.

The unauthorized_client error—and its sibling, the invalid_request error—typically indicates a mismatch between the client making the request (your Sitecore CMS instance) and the allowed configurations on the Identity Server. Specifically, the Identity Server maintains a list of "Allowed CORS Origins." If the URL in your browser doesn't match an entry in that list, the authentication handshake fails immediately.

You might encounter this if you customized your site names during installation (e.g., using .dev.sc.local instead of the default .dev.local) or if you manually updated your IIS host bindings to use HTTPS after the installation was already complete.

How to Configure AllowedCorsOrigins

To fix this error, you need to tell the Identity Server that your specific CMS URL is a trusted origin. This is handled via the Sitecore.IdentityServer.Host.xml file. Follow these steps to resolve the issue:

Step 1: Locate the Configuration File

Navigate to the file system where your Identity Server instance is installed. Typically, this is located at: C:\inetpub\wwwroot\[YourIdentityServerSite]\Config\production\Sitecore.IdentityServer.Host.xml

Step 2: Add Your CMS URL to the Allowed Origins

Open the file and look for the <AllowedCorsOrigins> section. You will need to add a new group entry that contains your CMS URL. It is highly recommended to include both the HTTP and HTTPS versions if you are working in a local development environment, though HTTPS is mandatory for production.

Update the XML as follows:

wzxhzdk:0

Step 3: Recycle the Application Pool

Because the Identity Server is a .NET Core application running under the Sitecore Host environment, it reads these configurations at startup. After saving the file, you must recycle the Identity Server Application Pool in IIS for the changes to take effect.

Advanced Configuration: Using Pipe Delimiters

If you are managing multiple environments or have several local host headers pointing to the same instance, you don't necessarily need to create AllowedCorsOriginsGroup3, Group4, and so on. Sitecore Identity Server supports pipe-separated lists within a single group tag.

This is often cleaner and easier to manage in your deployment scripts. You can define your origins like this:

wzxhzdk:1

This approach is particularly useful when using SIF or Sitecore Container environment variables, as it allows you to pass a single string containing multiple valid URLs.

Troubleshooting the invalid_request Variation

Sometimes, instead of unauthorized_client, you might see a message stating invalid_request. While the root cause is similar, this specifically refers to a mismatch in the redirect_uri.

If your Identity Server logs (found in /App_Data/Logs) show an error like Invalid redirect_uri: "https://scmsx.int.sxp.local/identity/signin", it means the client ID is recognized, but the specific URL where Identity Server is supposed to send the token back to is not in the allowed list.

Ensure that the URL you have configured in Sitecore.IdentityServer.Host.xml exactly matches the URL you are using in your browser, including the protocol (HTTPS) and any subdomains. A common mistake is having a typo in the Identity Server configuration that points to a slightly different hostname than the one configured in IIS.

The Importance of SSL in Sitecore 9.1+

One of the most frequent causes of authentication failure in modern Sitecore versions is the lack of a valid SSL certificate. Sitecore Identity Server is designed to be secure by default. If you attempt to access your Sitecore admin panel via http://site.local/sitecore, the Identity Server may reject the request or fail to set the necessary cookies.

Always ensure: 1. Your IIS bindings for both the CMS and Identity Server include HTTPS. 2. Your browser trusts the self-signed certificate (or the certificate issued by your internal CA). 3. Your Sitecore.IdentityServer.Host.xml uses the https:// prefix for all allowed origins.

Frequently Asked Questions

Why did this error appear suddenly after I changed my IIS bindings?

Identity Server is not aware of changes made directly in IIS. If you change your site's host header or switch from HTTP to HTTPS in IIS, you must manually update the AllowedCorsOrigins in the Identity Server configuration file to match the new binding.

Can I use wildcards in the AllowedCorsOrigins configuration?

No, for security reasons, IdentityServer4 (the engine behind Sitecore Identity) does not support wildcards in the CORS origin list. Each specific origin must be explicitly defined to prevent cross-site scripting and redirection attacks.

Where can I find the Identity Server logs to see more details?

Check the App_Data/Logs folder within your Identity Server website root. Look for logs starting with identityserver. These logs provide detailed information about why a specific request was rejected, including the exact redirect_uri that failed validation.

Wrapping Up

Authentication issues in Sitecore 9.1 and higher can be intimidating because of the added architectural layers, but the unauthorized_client error is almost always a simple configuration mismatch. By ensuring your Sitecore.IdentityServer.Host.xml file correctly lists your CMS URLs in the AllowedCorsOrigins section, you can resolve these handshake issues quickly.

Remember to always prioritize HTTPS, use pipe delimiters for cleaner configuration, and always recycle your application pools after making changes to the Sitecore Host configuration files. With these steps, you'll have your Sitecore environment up and running in no time.