403 Forbidden error after logging in

[actapia]

Describe the bug
GlobalProtect-openconnect displays a window showing "403 Forbidden" after entering username and password and does not connect to the VPN.

Expected behavior
It is expected that the program should proceed to Duo two-factor authentication after entering the username and password. After two-factor authentication succeeds, the application should connect to the VPN.

Screenshots

Logs

[2026-01-04T15:40:55Z INFO  gpclient::cli] gpclient started: 2.5.1 (2025-12-22)
[2026-01-04T15:40:55Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect/6.3.0-33 (Linux Arch Linux)
[2026-01-04T15:40:55Z INFO  gpauth::cli] gpauth started: 2.5.1 (2025-12-22)
[2026-01-04T15:40:55Z INFO  auth::webview::webview_auth] Setting up auth window...
libEGL warning: DRI3 error: Could not get DRI3 device
libEGL warning: Ensure your X server supports DRI3 to get accelerated rendering
[2026-01-04T15:40:56Z INFO  auth::webview::webview_auth] Loading auth request as URL: https://a**********u/adfs/ls/?SAMLRequest=h**********f&RelayState=%2B**********x
[2026-01-04T15:40:56Z INFO  auth::webview::webview_auth] Auth window setup completed
[2026-01-04T15:40:56Z INFO  auth::webview::webview_auth] Started loading page: https://a**********u/adfs/ls/?SAMLRequest=h**********f&RelayState=%2B**********x
[2026-01-04T15:40:56Z INFO  auth::webview::auth_messenger] Read auth data from html failed: No auth data found, extracting gpcallback...
[2026-01-04T15:40:56Z INFO  auth::webview::webview_auth] No auth data found in Body, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:40:56Z INFO  auth::webview::auth_messenger] Displaying the window in 2 second(s)...
[2026-01-04T15:40:56Z INFO  auth::webview::webview_auth] Finished loading page: https://a**********u/adfs/ls/?SAMLRequest=h**********f&RelayState=%2B**********x
[2026-01-04T15:40:56Z INFO  auth::webview::webview_auth] No auth data found in Headers, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:40:56Z INFO  auth::webview::auth_messenger] Raise window task is still running, skipping...
[2026-01-04T15:40:56Z INFO  auth::webview::auth_messenger] Read auth data from html failed: No auth data found, extracting gpcallback...
[2026-01-04T15:40:56Z INFO  auth::webview::webview_auth] No auth data found in Body, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:40:56Z INFO  auth::webview::auth_messenger] Raise window task is still running, skipping...
[2026-01-04T15:40:58Z INFO  auth::webview::webview_auth] Raising auth window...
[2026-01-04T15:41:00Z INFO  gpapi::utils::window::unix] Window not raised: Failed to raise window: GlobalProtect Login
[2026-01-04T15:41:08Z INFO  auth::webview::webview_auth] Started loading page: https://a**********u/adfs/ls/?SAMLRequest=h**********f&RelayState=%2B**********x&client-request-id=1**********3
[2026-01-04T15:41:08Z INFO  auth::webview::webview_auth] Finished loading page: https://a**********u/adfs/ls/?SAMLRequest=h**********f&RelayState=%2B**********x&client-request-id=1**********3
[2026-01-04T15:41:08Z INFO  auth::webview::webview_auth] No auth data found in Headers, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:41:08Z INFO  auth::webview::auth_messenger] Read auth data from html failed: No auth data found, extracting gpcallback...
[2026-01-04T15:41:08Z INFO  auth::webview::webview_auth] No auth data found in Body, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:41:08Z INFO  auth::webview::auth_messenger] Read auth data from html failed: No auth data found, extracting gpcallback...
[2026-01-04T15:41:08Z INFO  auth::webview::webview_auth] No auth data found in Body, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:41:09Z INFO  auth::webview::webview_auth] Started loading page: https://a**********m/frame/frameless/v4/auth?sid=f**********d&tx=e**********A&req-trace-group=7**********b
[2026-01-04T15:41:09Z INFO  auth::webview::auth_messenger] Read auth data from html failed: No auth data found, extracting gpcallback...
[2026-01-04T15:41:09Z INFO  auth::webview::webview_auth] No auth data found in Body, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:41:09Z INFO  auth::webview::webview_auth] Finished loading page: https://a**********m/frame/frameless/v4/auth?sid=f**********d&tx=e**********A&req-trace-group=7**********b
[2026-01-04T15:41:09Z INFO  auth::webview::webview_auth] No auth data found in Headers, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:41:09Z INFO  auth::webview::auth_messenger] Read auth data from html failed: No auth data found, extracting gpcallback...
[2026-01-04T15:41:09Z INFO  auth::webview::webview_auth] No auth data found in Body, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:41:09Z INFO  auth::webview::webview_auth] Started loading page: https://a**********m/frame/frameless/v4/auth?sid=f**********d&tx=e**********A&req-trace-group=7**********b
[2026-01-04T15:41:09Z INFO  auth::webview::auth_messenger] Read auth data from html failed: No auth data found, extracting gpcallback...
[2026-01-04T15:41:09Z INFO  auth::webview::webview_auth] No auth data found in Body, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:41:09Z INFO  auth::webview::webview_auth] Finished loading page: https://a**********m/frame/frameless/v4/auth?sid=f**********d&tx=e**********A&req-trace-group=7**********b
[2026-01-04T15:41:09Z INFO  auth::webview::webview_auth] No auth data found in Headers, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:41:09Z INFO  auth::webview::auth_messenger] Read auth data from html failed: No auth data found, extracting gpcallback...
[2026-01-04T15:41:09Z INFO  auth::webview::webview_auth] No auth data found in Body, it may not be the /SAML20/SP/ACS endpoint
[2026-01-04T15:41:15Z WARN  gpclient::connect] Failed to connect portal with prelogin: Authentication cancelled

Environment:

• OS: Arch Linux
• Is remote SSH? No

Additional context
Binaries installed from https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.5.1/globalprotect-openconnect_2.5.1_x86_64.bin.tar.xz and started in QTerminal as gpclient connect ra.uky.edu via X2Go.

Connecting to the same server works with GlobalProtect-openconnect 1.x.

[yuezk]

Hi @actapia, it seems that the authentication page is blocked. You can try running the command with the --browser option, which will open the login page in the default browser.

[actapia]

@yuezk Yes, that allows the authentication to proceed to Duo two-factor authentication, and then I get to a page like this:

I don't seem to be connected to the VPN at that point, though. Should I open a separate issue for that?

[yuezk]

Hi, @actapia what happens when you click the click here link on the page?

[actapia]

@yuezk Nothing seems to happen when I click that link. The link destination is something like globalprotectcallback:PG....

[yuezk]

@actapia can you run xdg-mime query default x-scheme-handler/globalprotectcallback to see what is the output?