invalid_scope api auth_error ai_generated true

OAuth2 error: invalid_scope: scope 'admin' not registered

ID: api/oauth2-invalid-scope-requested

Also available as: JSON · Markdown · 中文

88%Fix Rate

84%Confidence

1Evidence

2024-04-10First Seen

Version Compatibility

Version	Status	Introduced	Deprecated	Notes
OAuth2 RFC 6749	active	—	—	—
Spring Authorization Server 1.1+	active	—	—	—
Keycloak 23+	active	—	—	—
Auth0 2024+	active	—	—	—
Okta 2024+	active	—	—	—

Root Cause

The client requested a scope that the authorization server does not recognize or that is not allowed for the client, often due to missing scope registration in the client configuration.

generic

中文

客户端请求了一个授权服务器不识别或不允许的作用域，通常是由于客户端配置中缺少作用域注册。

Official Documentation

https://datatracker.ietf.org/doc/html/rfc6749#section-5.2

Workarounds

90% success Register the missing scope in the authorization server's client configuration. For Keycloak, navigate to Clients > [Your Client] > Client Scopes > Add Client Scope, then assign the scope. For Spring Authorization Server, update the RegisteredClient definition: RegisteredClient registeredClient = RegisteredClient.withId("client-id") .clientId("my-client") .scope("admin") // Add the missing scope .build();
```
Register the missing scope in the authorization server's client configuration. For Keycloak, navigate to Clients > [Your Client] > Client Scopes > Add Client Scope, then assign the scope. For Spring Authorization Server, update the RegisteredClient definition:
RegisteredClient registeredClient = RegisteredClient.withId("client-id")
    .clientId("my-client")
    .scope("admin") // Add the missing scope
    .build();
```
70% success If the scope should not be granted broadly, use a scope that is already registered and map it via a custom claim. For example, request 'read' scope and map it to admin privileges server-side.
```
If the scope should not be granted broadly, use a scope that is already registered and map it via a custom claim. For example, request 'read' scope and map it to admin privileges server-side.
```

中文步骤

Register the missing scope in the authorization server's client configuration. For Keycloak, navigate to Clients > [Your Client] > Client Scopes > Add Client Scope, then assign the scope. For Spring Authorization Server, update the RegisteredClient definition:
RegisteredClient registeredClient = RegisteredClient.withId("client-id")
    .clientId("my-client")
    .scope("admin") // Add the missing scope
    .build();

If the scope should not be granted broadly, use a scope that is already registered and map it via a custom claim. For example, request 'read' scope and map it to admin privileges server-side.

Dead Ends

Common approaches that don't work:

80% fail
The server must explicitly allow the scope for the client.
60% fail
Scope validation applies to all grant types.