invalid_scope
api
auth_error
ai_generated
true
OAuth2 错误:invalid_scope:作用域 'admin' 未注册
OAuth2 error: invalid_scope: scope 'admin' not registered
ID: api/oauth2-invalid-scope-requested
88%修复率
84%置信度
1证据数
2024-04-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| OAuth2 RFC 6749 | active | — | — | — |
| Spring Authorization Server 1.1+ | active | — | — | — |
| Keycloak 23+ | active | — | — | — |
| Auth0 2024+ | active | — | — | — |
| Okta 2024+ | active | — | — | — |
根因分析
客户端请求了一个授权服务器不识别或不允许的作用域,通常是由于客户端配置中缺少作用域注册。
English
The client requested a scope that the authorization server does not recognize or that is not allowed for the client, often due to missing scope registration in the client configuration.
官方文档
https://datatracker.ietf.org/doc/html/rfc6749#section-5.2解决方案
-
Register the missing scope in the authorization server's client configuration. For Keycloak, navigate to Clients > [Your Client] > Client Scopes > Add Client Scope, then assign the scope. For Spring Authorization Server, update the RegisteredClient definition: RegisteredClient registeredClient = RegisteredClient.withId("client-id") .clientId("my-client") .scope("admin") // Add the missing scope .build(); -
If the scope should not be granted broadly, use a scope that is already registered and map it via a custom claim. For example, request 'read' scope and map it to admin privileges server-side.
无效尝试
常见但无效的做法:
-
80% 失败
The server must explicitly allow the scope for the client.
-
60% 失败
Scope validation applies to all grant types.