# OAuth2 error: invalid_scope: scope 'admin' not registered - **ID:** `api/oauth2-invalid-scope-requested` - **Domain:** api - **Category:** auth_error - **Error Code:** `invalid_scope` - **Verification:** ai_generated - **Fix Rate:** 88% ## Root Cause The client requested a scope that the authorization server does not recognize or that is not allowed for the client, often due to missing scope registration in the client configuration. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | OAuth2 RFC 6749 | active | — | — | | Spring Authorization Server 1.1+ | active | — | — | | Keycloak 23+ | active | — | — | | Auth0 2024+ | active | — | — | | Okta 2024+ | active | — | — | ## Workarounds 1. **Register the missing scope in the authorization server's client configuration. For Keycloak, navigate to Clients > [Your Client] > Client Scopes > Add Client Scope, then assign the scope. For Spring Authorization Server, update the RegisteredClient definition: RegisteredClient registeredClient = RegisteredClient.withId("client-id") .clientId("my-client") .scope("admin") // Add the missing scope .build();** (90% success) ``` Register the missing scope in the authorization server's client configuration. For Keycloak, navigate to Clients > [Your Client] > Client Scopes > Add Client Scope, then assign the scope. For Spring Authorization Server, update the RegisteredClient definition: RegisteredClient registeredClient = RegisteredClient.withId("client-id") .clientId("my-client") .scope("admin") // Add the missing scope .build(); ``` 2. **If the scope should not be granted broadly, use a scope that is already registered and map it via a custom claim. For example, request 'read' scope and map it to admin privileges server-side.** (70% success) ``` If the scope should not be granted broadly, use a scope that is already registered and map it via a custom claim. For example, request 'read' scope and map it to admin privileges server-side. ``` ## Dead Ends - **** — The server must explicitly allow the scope for the client. (80% fail) - **** — Scope validation applies to all grant types. (60% fail)