ForgeRock Identity Platform
Does not apply to Identity Cloud

The authenticated client is not authorized to use this authorization grant type response to an OAuth 2.0 endpoint in AM 6.5.x and 7.x

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if you encounter the following error when making a call to an OAuth 2.0 endpoint in AM 6.5.x: "The authenticated client is not authorized to use this authorization grant type" or a refresh_token is not issued.


The following error is returned when you make a call to an OAuth 2.0 endpoint using a flow other than authorization_code:

{  "error": "unauthorized_client",   "error_description": "The authenticated client is not authorized to use this authorization grant type." }

In AM (and later 6.5.0.x patches) and AM 6.5.1 onwards, refresh_tokens are not issued even though the Issue Refresh Tokens on Refreshing Access Tokens option is enabled for the OAuth2 provider.

Recent Changes

Upgraded to, or installed AM 6.5 or later.


Changes were made in AM 6.5 to allow OAuth2 clients to be restricted to particular grant flows. In earlier versions, AM would issue tokens for any inbound grant_type. This change means you must explicitly add permitted grant types to each client when you create them; the authorization_code grant type is added to all new clients by default as it's the most secure flow. If a client has not been configured for a particular grant type (for example, Implicit) and you make a call to an OAuth2 endpoint using that grant_type, it will fail with the error shown in the Symptoms section.

Subsequent changes were made in AM and AM 6.5.1 that extends the above behavior to include Refresh Tokens. This means the refresh_token grant type must now be added to OAuth2 clients in order to obtain a refresh token.

See Improvements in AM 6.5 and Important Changes in AM 6.5.1 for further information about these changes.


If you upgrade to AM 6.5 and later by following the recommended process to upgrade the data in the configuration store (via the Upgrade Wizard in the AM admin UI or by using the upgrade tool), all grant types are added to existing clients to maintain backwards compatibility. This means you will only need to configure grant_types for new clients if you have upgraded.


This issue can be resolved as follows depending on whether you are experiencing issues with existing clients and/or new clients:

Existing clients

Follow the steps in the Upgrade guide to upgrade the data in the configuration store to ensure all existing clients have all grant types (Authorization Code, Back Channel Request, Implicit, Resource Owner Password Credentials, Client Credentials, Refresh Token, UMA, Device Code, SAML2). See Upgrade from a supported version for further information.

New clients

Add permitted grant types to your clients using either the AM admin UI or Amster:

See Also

FAQ: OAuth 2.0 in Identity Cloud and AM

OAuth 2.0 and OIDC in AM

OAuth 2.0

Related Training


Related Issue Tracker IDs

OPENAM-14780 (Refresh token missing when switching from 6.5.0 to 6.5.1)

OPENAM-14111 (Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow)

OPENAM-11032 (Need an option to limit, allow or deny OAuth2.0 flows per application)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.