Fixing “unauthorized_client” on Sitecore Identity Server

When attempting to log into Sitecore 9.1 or 9.2 you might see the error “Sorry, there was an error: unauthorized client” on the Identity Server login screen:

This is probably because you’ve been redirected from the Sitecore login page and arrived at the Identity Server from a different hostname than that which was configured at the time the Sitecore infrastructure was deployed. For example, your site may have been deployed as https://test-sitecore-single.azurewebsites.net but later a more friendly hostname like https://testserver.myco.com was assigned to the Sitecore instance. When you try to log in via https://testserver.myco.com/sitecore you will be redirected to the Identity Server which does not recognize that host as an allowed origin.

To fix this, edit the following file in your Identity Server instance:

{siteroot}\Config\production\Sitecore.IdentityServer.Host.xml

and add your Sitecore URL to the AllowedOriginsGroup1 similarly to the example below:

<AllowedCorsOrigins>     
    <AllowedCorsOriginsGroup1>https://test-sitecore-single.azurewebsites.net|https://testserver.myco.com</AllowedCorsOriginsGroup1> 
</AllowedCorsOrigins> 

Note that the URLs are separated by a “|” (pipe) symbol.

You will also need to recycle your Identity Server instance because XML config files do not cause a recycle in the same way that Sitecore config files do. Also, delete any cookies that you have from the ID server and attempt to login again from the Sitecore login page. Otherwise the error message will still be displayed.

There are many other options for configuring the Identity Server which are documented here.