{ "id": "api/oauth2-invalid-scope-requested", "signature": "OAuth2 error: invalid_scope: scope 'admin' not registered", "signature_zh": "OAuth2 错误:invalid_scope:作用域 'admin' 未注册", "regex": "OAuth2 error: invalid_scope: scope .* not registered", "domain": "api", "category": "auth_error", "subcategory": null, "root_cause": "The client requested a scope that the authorization server does not recognize or that is not allowed for the client, often due to missing scope registration in the client configuration.", "root_cause_type": "generic", "root_cause_zh": "客户端请求了一个授权服务器不识别或不允许的作用域,通常是由于客户端配置中缺少作用域注册。", "versions": [ { "version": "OAuth2 RFC 6749", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Spring Authorization Server 1.1+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Keycloak 23+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Auth0 2024+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Okta 2024+", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The server must explicitly allow the scope for the client.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "Scope validation applies to all grant types.", "fail_rate": 0.6, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Register the missing scope in the authorization server's client configuration. For Keycloak, navigate to Clients > [Your Client] > Client Scopes > Add Client Scope, then assign the scope. For Spring Authorization Server, update the RegisteredClient definition:\nRegisteredClient registeredClient = RegisteredClient.withId(\"client-id\")\n .clientId(\"my-client\")\n .scope(\"admin\") // Add the missing scope\n .build();", "success_rate": 0.9, "how": "Register the missing scope in the authorization server's client configuration. For Keycloak, navigate to Clients > [Your Client] > Client Scopes > Add Client Scope, then assign the scope. For Spring Authorization Server, update the RegisteredClient definition:\nRegisteredClient registeredClient = RegisteredClient.withId(\"client-id\")\n .clientId(\"my-client\")\n .scope(\"admin\") // Add the missing scope\n .build();", "condition": "", "sources": [] }, { "action": "If the scope should not be granted broadly, use a scope that is already registered and map it via a custom claim. For example, request 'read' scope and map it to admin privileges server-side.", "success_rate": 0.7, "how": "If the scope should not be granted broadly, use a scope that is already registered and map it via a custom claim. For example, request 'read' scope and map it to admin privileges server-side.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Register the missing scope in the authorization server's client configuration. For Keycloak, navigate to Clients > [Your Client] > Client Scopes > Add Client Scope, then assign the scope. For Spring Authorization Server, update the RegisteredClient definition:\nRegisteredClient registeredClient = RegisteredClient.withId(\"client-id\")\n .clientId(\"my-client\")\n .scope(\"admin\") // Add the missing scope\n .build();", "If the scope should not be granted broadly, use a scope that is already registered and map it via a custom claim. For example, request 'read' scope and map it to admin privileges server-side." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2", "official_doc_section": null, "error_code": "invalid_scope", "verification_tier": "ai_generated", "confidence": 0.84, "fix_success_rate": 0.88, "resolvable": "true", "first_seen": "2024-04-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }