The only two things I can think of is that for some reason the DB has incorrect info, for example if you are pointing to a DB without that user (it has happened to me that I point to a staging DB and I try to access it with production credentials).
The other option is that the token you are using for the requests has expired. Try to refresh the token by logging in again.
If that doesn't help, you need to get more info on what's going on. Try adding debug strings (
http://loopback.io/doc/en/lb2/Setting-debug-strings.html). You could try with the security ones like loopback:security:role or maybe loopback:security:acl, or if that doesn't help try the whole category with loopback:security:* . This will show you a stack of what loopback is doing for authorization steps.
You could also try with loopback:connector:* (or use the specific connector you are using, e.g. mongodb) to see what's going on with the database. Like I said, I once was pointing to the wrong database and this is where I saw the user didn't even exist.
That should help you out get more info on the inner workings of your system.
Hoe that helps,
Akram