# Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization

- **ID:** `policy/github-actions-oidc-token-403-forbidden`
- **Domain:** policy
- **Category:** auth_error
- **Error Code:** `403`
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

GitHub Actions OIDC token requests are blocked by organization-level or repository-level settings that restrict which workflows can request tokens for cloud provider authentication.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| GitHub Actions runner 2.315.0 | active | — | — |
| GitHub Enterprise Server 3.10 | active | — | — |
| GitHub REST API 2022-11-28 | active | — | — |

## Workarounds

1. **Go to organization settings > Actions > General > Permissions, and ensure 'Allow GitHub Actions to create and approve pull requests' is enabled. Then add the workflow's repository to the allowed list for OIDC token requests under 'OIDC Token' settings.** (85% success)
   ```
   Go to organization settings > Actions > General > Permissions, and ensure 'Allow GitHub Actions to create and approve pull requests' is enabled. Then add the workflow's repository to the allowed list for OIDC token requests under 'OIDC Token' settings.
   ```
2. **If using GitHub Enterprise, check the repository's 'Actions secrets and variables' settings and verify that the 'Allow OIDC token for this repository' option is checked. For organization-level, run: gh api -X PATCH /orgs/ORG/settings/actions -f 'allowed_actions=all'** (80% success)
   ```
   If using GitHub Enterprise, check the repository's 'Actions secrets and variables' settings and verify that the 'Allow OIDC token for this repository' option is checked. For organization-level, run: gh api -X PATCH /orgs/ORG/settings/actions -f 'allowed_actions=all'
   ```
3. **Configure the cloud provider's trust policy to accept tokens from the specific repository and branch. For AWS, update the IAM OIDC identity provider's trust policy to include the correct 'sub' claim: "Condition": {"StringEquals": {"token.actions.githubusercontent.com:sub": "repo:org/repo:ref:refs/heads/main"}}** (75% success)
   ```
   Configure the cloud provider's trust policy to accept tokens from the specific repository and branch. For AWS, update the IAM OIDC identity provider's trust policy to include the correct 'sub' claim: "Condition": {"StringEquals": {"token.actions.githubusercontent.com:sub": "repo:org/repo:ref:refs/heads/main"}}
   ```

## Dead Ends

- **** — The issue is a policy restriction, not a transient token error; re-running will hit the same 403. (100% fail)
- **** — This bypasses the security benefit of OIDC and may violate compliance policies; also not a fix for the error. (60% fail)
- **** — Restrictions are based on repository or organization settings, not branch or event names. (90% fail)