# Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization due to branch protection rules.

- **ID:** `policy/github-actions-oidc-token-request-denied-by-branch-protection`
- **Domain:** policy
- **Category:** auth_error
- **Error Code:** `403`
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

The GitHub Actions workflow is running on a branch that is protected by branch protection rules that restrict OIDC token requests (e.g., requiring pull request reviews or status checks), and the workflow is not configured to request the token from a allowed branch or environment.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| GitHub Actions | active | — | — |
| GitHub Enterprise Cloud | active | — | — |
| GitHub Enterprise Server 3.10+ | active | — | — |

## Workarounds

1. **Configure the workflow to run only on branches that are not protected by the OIDC restriction, or use a GitHub environment with deployment branch policies that allow OIDC token requests. For example, add `if: github.ref == 'refs/heads/main'` to the job.** (85% success)
   ```
   Configure the workflow to run only on branches that are not protected by the OIDC restriction, or use a GitHub environment with deployment branch policies that allow OIDC token requests. For example, add `if: github.ref == 'refs/heads/main'` to the job.
   ```
2. **Update the branch protection rule to allow OIDC token requests. In the GitHub repository settings, go to Settings > Branches > Branch protection rules, edit the rule, and under 'Rules applied to everyone including administrators', ensure 'Allow GitHub Actions to request OIDC tokens' is checked.** (90% success)
   ```
   Update the branch protection rule to allow OIDC token requests. In the GitHub repository settings, go to Settings > Branches > Branch protection rules, edit the rule, and under 'Rules applied to everyone including administrators', ensure 'Allow GitHub Actions to request OIDC tokens' is checked.
   ```
3. **Use a GitHub environment with a deployment branch policy that includes the protected branch, and reference the environment in the workflow job (e.g., `environment: production`). This allows OIDC token requests from that environment's allowed branches.** (80% success)
   ```
   Use a GitHub environment with a deployment branch policy that includes the protected branch, and reference the environment in the workflow job (e.g., `environment: production`). This allows OIDC token requests from that environment's allowed branches.
   ```

## Dead Ends

- **** — Branch protection rules can explicitly block OIDC token requests from protected branches. The error is a direct result of this policy. (90% fail)
- **** — While this would allow the OIDC token request, it removes important security controls (e.g., required reviews) and is not a viable long-term solution. (50% fail)
- **** — The error is about OIDC token request permissions, not authentication method. Switching to PAT requires different workflow configuration and may not address the branch protection rule. (70% fail)