Redirected to forbidden

I have…

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [ ] Bug report
  • [ X] Performance issue
  • [ ] Documentation issue or request

Current behavior

All of a sudden when I successfully login with an admin account, I see the dashboard but it then the browser quickly redirects to “Forbidden”. I have tried different accounts and different browsers. I am stuck.

Expected behavior

Show the dashboard of course. :slight_smile:

Minimal reproduction of the problem


  • [ ] Self hosted with docker
  • [X ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [ ] Cloud version

Version: latest


  • [ X] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ X] Edge


Not sure how to help. Have you checked the logs or your permissions?

Yes, I have checked everything. It was all working. Went to lunch. Came back and noticed it timed out. Issue happened after logging in again.

Could this be related to my deleting the default API client? If so, how do I fix it?

This appears to be the problem. I see the browser is trying to access the news api and is getting a forbidden. So, is there a way to restore if without completely redoing my configs and DB???

you can just create a new client…

I can’t create a new client because I keep getting redirected. I can’t even create a new app.

Really? The client is irrelevant if you login with your normal user account.

I know. I just discovered it’s happening on a dev environment where I know the API client is still valid. I’m thinking our network team is blocking something incorrectly…I hope it’s that simple because it just doesn’t make sense.

I just discovered I can go directly to an app’s route/dashboard and it works. But if I go back to the top level, it breaks. I’ll let you know!

So, looking at developer tools, I see the App page is accessing “/api/news/features?version=0”. However, it’s returning a 403 forbidden message. It’s using an authorization bearer token. Where would it be getting it from? Also, what does that api supposed to retrieve?

Since it’s happening on a dev and prod server, I assume there’s some setting that’s causing the bug. In the morning, I’ll try to track it down my changes compared to a standard.

The API retrieves feature updates. I think you can turn it off in the settings

Just reviewed the settings on the dev machine…nothing unusual about it. What else could it be???

  "urls": {
     * The url where your squidex installation is available at.
    "baseUrl": ""
  "identity": {
     * Disable authentication with google, github and microsoft login.
    "googleClient": "",
    "googleSecret": "",
    "githubClient": "",
    "githubSecret": "",
    "microsoftClient": "",
    "microsoftSecret": "",
     * Initial username and password.
    "adminEmail": "*********",
    "adminPassword": "********"
  "assetStore": {
    "folder": {
       * Define where to store the assets.
      "path": "D:\\squidex\\assets"
  "orleans": {
     * Disable clustering!
    "clustering": "MongoDB"

The HTML message says forbidden but the title bar says not found. The status code on developer tools is 403, but the statuscode in the response message is 401.

"traceId": "00-c2346874a20ac948b22da79a8f8cb442-947e308bb0484e4f-00",
"type": "",
"statusCode": 401

This could be a bug, but it still does not explain the issue.

I am talking about these settings:

Please do not change that. I have made a change to swallow exception for this endpoint.

I added those exact settings in and still no luck. I even added the hideNews and setting it to true.

It has something to do with one of the apps trying to read something. I can get to anything past “app” by going directly to the URL, so it’s not a permission thing on any of the apps. I just changed the admin email and added “adminRecreate”. I was able to get in but of course could not see any of the other test apps. So, I logged back in with my other admin account and added the new admin account as the owner of one the apps. I then relogged back in with the new admin account, and the error now occurs for it.

Very odd. I just removed the new admin from the other app. Logged back and I can see the root of APP. I then created a new blank app. When I logged out and then back in, the error now occurs for the new admin when trying to load the dashboard with an empty app.

The admin has permissions to everything but he does not not see the apps in the overview, because I have too much apps in the cloud to make it work properly. You have to add an explicit permission to your account in the administration section and then login again.


FYI, I just blew out the MongoDB and started from scratch. Logged in, created a new blank app, logged out and back in, the error occurs…

Yes, the news dialog is not shown the first time. I am not sure why you get this issue, but anyway: I fixed this in the current dev version.

But I don’t understand why you get the 403/401 thing. I cannot reproduce it.