The RequestAuthorizationMiddleware.php is what’s throwing the ForbiddenException.
$result = $service->canResult($identity, $this->getConfig('method'), $request);
if (!$result->getStatus()) {
throw new ForbiddenException($result);
}
So I’m not sure how to work around this.