403 Status Code when using commerce api with OpenIDDict


Hello, I am trying to use OpenIDDict with the Commerce Content Delivery Api. I have setup an OpenIDConnectApplication as shown:

                useDevelopmentCertificate: true,
                signingCertificate: null,
                encryptionCertificate: null,
                createSchema: true,
                options =>
                var application = new OpenIDConnectApplication()
                    ClientId = "postman-client",
                    ClientSecret = "postman",
                    Scopes = { 
                        CommerceApiOptionsDefaults.Scope }

and my CommerceAPI :


I have configured postman to use client_credentials grant type and had my token ready.

I then went ahead and called the api:


what I got is a 403 Forbidden error.

I went into the commerce api customer controller and looked up the endpoint:

        [Authorize(Policy = "episerver:com:customers")]
        public async Task<IActionResult> SignUp(SignUpModel accountModel)
            IActionResult actionResult = CheckDisableIdentity();
            if (actionResult != null)
                return actionResult;

            return await SignUpInternal(accountModel, checkAnonymousScope: false);

I saw this policy they have on this endpoint episerver:com:customers. I am not sure what that policy is. It's causing a 403 error, yet I am not sure what to provide for it.

Could someone please shed a light on this?

Anyhelp is appreciated, and thanks in advance.

Edited, Aug 16, 2023 13:10

it means that to access the signup action, the user must has one of the roles

CommerceRoles.Customers, CommerceRoles.CommerceAdmins, Roles.Administrators

what roles does your account have

Aug 16, 2023 13:50

Thank you for your reply Quan.

I am testing via Postman , and using client credentials grant type while sending scopes and not authorization code grant type.

is it possible to work with client credentials grant type?

Edited, Aug 16, 2023 14:26

That signup is endpoint for administrators.

You want to use the me endpoint.  To get anonymous token you need to add the anonymous_id scope shown here.  Then to get token see here.  

If you want to get working with client credentials you will need to add handler to onsignin to add Adminstrators or Customers role the claimsidentity

Aug 16, 2023 22:09
Taher.elhares - Aug 20, 2023 11:00
Thanks, I was able to request an access token using the anonymous token endpoint. However I noticed that no refresh token is being returned and the token only lasts for around an hour. I don't want the data to be lost once I request a new token as I am working on a guest checkout journey. is there a way to be able to return a refresh token from the anonymous token endpoint, or any other way around it?
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.