Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

C# Core - Get 'Access Denied' with RequestAccessTokenAsync in callback action

Started by App Dev -   in API Authentication

A bit bizarre this one.
If I run the dotnet core 'XeroNetStandardApp' locally (ie a localhost as the callback uri) - it works fine on my laptop (and locally on our live server).
But once I configure the xero app and the c# code to use an IP address (callback as https with a port that is 88),
the callback action gets called, but it then fails in the call to RequestAccessTokenAsync.

The error is:
"Access Denied
You don't have permission to access "http://identity.xero.com/connect/token" on this server.
Reference #18.35a21002.1643706969.3efcc5b "

(For debug purposes, the only way I got to see this error is by using Reflector and creating the RequestAccessTokenAsync function in my code)

I'm confused why this is happening - as the url is hard coded (https://identity.xero..) in the RequestAccessTokenAsync and the error message states 'http://identity.xero.....' ie, RequestAccessTokenAsync function uses:

AuthorizationCodeTokenRequest authorizationCodeTokenRequest = new AuthorizationCodeTokenRequest()
Address = "https://identity.xero.com/connect/token",
GrantType = "code",
Code = code, ..............

Has anyone else had a problem like this when running the dotnet core app in IIS on a server using an ip address instead of localhost?

If you are seeing a reference number beginning #18. this is due to your call being blocked by the WAF we use. If your call works on one ip address but not another it suggests that the ip address you are using is triggering one of the risk alerts.

I have added a link to the Akamai website that discusses common reasons why your ip address may be blocked. https://community.akamai.com/customers/s/article/Why-is-Akamai-blocking-me?language=en_US

Usually blocking is temporary until the risk scores improve but if you get the same error again, please can you send an email to api@xero.com with details of your client id and the full error code as quickly as you can as the error code has a limited lifespan.

Sally C (Community Manager)  

Thanks - i've sent the email

App Dev