Introduction
When using the Boundary Desktop Client v2.4.0 (or any version utilizing Boundary CLI/Daemon v0.15.0+), users may find that targets are not listed in the application after a successful OIDC login. This issue specifically impacts the "Search" and "Targets" tab functionality introduced in recent versions, which relies on a background cache daemon to manage session states and resource retrieval.
Problem
The Boundary Desktop Client now utilizes a background Cache Daemon to improve search performance. This daemon must be able to "read" and "delete" the user's own authentication token to maintain a valid session. Older versions of the Boundary Desktop Client (for example v2.0.3) may still display targets correctly.
If the user's role at the Global scope—typically the global_anon_listing role or a specific OIDC managed group role—lacks these "self" grants, the daemon is denied access. This results in the UI failing to populate targets even if the user has correct permissions to those targets at the Project level.
Symptoms
- Users can authenticate successfully via OIDC, but the "Targets" tab remains empty.
- Users may have been able to see targets in older versions (e.g., v2.0.3) but cannot in v2.4.0.
-
Boundary Desktop Client logs show the following errors:
- {"context":"Error from controller when performing read on auth token","status_code":403,"api_error":{"kind":"PermissionDenied","message":"Forbidden."}}
- {"context":"Error from cache when performing search","status_code":403,"api_error":{"kind":"Forbidden","message":"Forbidden"}}
- The client agent status may show as "Paused" or "Refused" in logs if local ports are blocked:
- dial tcp 127.0.0.1:9300: connectex: No connection could be made because the target machine actively refused it.
Solution
To resolve this issue, an administrator must update the permissions at the Global scope to allow the cache daemon to manage its own tokens.
1. Add Required Grant:
In the HCP Boundary console, navigate to: Global Org → Roles → global_anon_listing → Grants
Add the following grant: ids=*;type=auth-token;actions=read:self,delete:self
CLI Equivalent:
boundary roles add-grants \
-id <role_id> \
-grant "ids=*;type=auth-token;actions=delete:self,list,read:self"2. Enable Scope Inheritance:
The permission must apply to the Global scope and all its descendants to allow the daemon to function across different Orgs and Projects:
- In the Role settings, go to the Scopes tab.
- Click Manage and enable the "Add all descendants" toggle.
CLI Equivalent:
boundary roles set-grant-scopes \
-id <role_id> \
-grant-scope-id "this" \
-grant-scope-id "descendants"