Troubleshoot access management
This article has troubleshooting tips to help you resolve the issues if you are receiving errors or seeing unexpected behavior related to access management.
Token and claims
If there are any issues with a user's authentication, you can retrieve and read issued JWTs from a web browser using the Network section of the Developer tools. By default, the content of the claims in the token is encoded in a non-human readable format. To read the token content, you must paste it into a JWT decoding tool such as jwt.ms.
Check that the token contains the claims listed in this article and that the values within the token match the expected values defined in CDF.
Missing groups claim
If the ext_group_ids claim is missing from your token, try these solutions.
Check the token configuration
- Make sure that the app's token configuration is set to emit the
groupsclaim in tokens.
Check the group membership limit
CDF has a limit of 50 groups claims in a single access token. In larger organizations, the number of groups a principal is a member of may exceed the limit of 200 groups that the IdP will add to a token.
To resolve the issue, if you are using Microsoft Entra ID as your IdP, you need to configure your CDF project to call the MS Graph groups endpoint to obtain group information for the principal. See Best practices: Authorization and groups for details.
Remove cached permissions
If you have created/updated a CDF group and linked it to a group in the IdP but don't have access to the CDF project with the new permissions, sign out and delete your browser cache, or wait for the token to expire.
Access CDF projects with new permissions
If you have created/updated a CDF group and linked it to a group in the IdP but don't have access to the CDF project with the new permissions, sign out and delete your browser cache, or wait for the token to expire.
Using other IdPs than Microsoft Entra ID
If you want to use another IdP than Microsoft Entra ID to manage CDF access, such as Amazon Cognito, Google Cloud Platform, Auth0, and Keycloak, see the Minimum identity provider (IdP) requirements and contact your Cognite representative or one of our partners.