# Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization.

- **ID:** `policy/github-actions-oidc-token-permission-denied`
- **Domain:** policy
- **Category:** auth_error
- **Error Code:** `403`
- **Verification:** ai_generated
- **Fix Rate:** 78%

## Root Cause

GitHub Actions OIDC token request denied because the organization's OIDC trust policy does not allow the specific workflow or branch.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| GitHub Actions 2024-01 | active | — | — |
| GitHub Enterprise Server 3.12 | active | — | — |

## Workarounds

1. **Update the OIDC trust policy in the GitHub organization settings to allow the specific repository and branch. Navigate to Settings > Organization > Security > OIDC Trust Policies and add a condition like 'repository:owner/repo:ref:refs/heads/main'.** (85% success)
   ```
   Update the OIDC trust policy in the GitHub organization settings to allow the specific repository and branch. Navigate to Settings > Organization > Security > OIDC Trust Policies and add a condition like 'repository:owner/repo:ref:refs/heads/main'.
   ```
2. **Use a GitHub App or personal access token instead of OIDC for authentication. In the workflow, use 'actions/checkout@v4' with a token: 'uses: actions/checkout@v4 with: token: ${{ secrets.MY_TOKEN }}'** (90% success)
   ```
   Use a GitHub App or personal access token instead of OIDC for authentication. In the workflow, use 'actions/checkout@v4' with a token: 'uses: actions/checkout@v4 with: token: ${{ secrets.MY_TOKEN }}'
   ```
3. **Modify the workflow to run on a branch that is explicitly allowed in the OIDC trust policy. For example, if only 'main' is allowed, merge the feature branch into main before triggering the deployment workflow.** (75% success)
   ```
   Modify the workflow to run on a branch that is explicitly allowed in the OIDC trust policy. For example, if only 'main' is allowed, merge the feature branch into main before triggering the deployment workflow.
   ```

## Dead Ends

- **Re-run the workflow with the same configuration, hoping it's a transient error.** — The OIDC token request is denied due to policy configuration, not transient issues. Retrying will fail identically. (100% fail)
- **Add a new OIDC provider in the cloud provider (e.g., AWS) without updating GitHub settings.** — The error originates from GitHub's side denying the token request, not the cloud provider. The cloud provider configuration is irrelevant if GitHub refuses to issue the token. (95% fail)
- **Remove the 'id-token: write' permission from the workflow.** — The 'id-token: write' permission is required to request an OIDC token. Removing it will cause a different error about missing permissions. (90% fail)