# OAuth2 错误：invalid_scope：作用域 'admin' 未注册

- **ID:** `api/oauth2-invalid-scope-requested`
- **领域:** api
- **类别:** auth_error
- **错误码:** `invalid_scope`
- **验证级别:** ai_generated
- **修复率:** 88%

## 根因

客户端请求了一个授权服务器不识别或不允许的作用域，通常是由于客户端配置中缺少作用域注册。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| OAuth2 RFC 6749 | active | — | — |
| Spring Authorization Server 1.1+ | active | — | — |
| Keycloak 23+ | active | — | — |
| Auth0 2024+ | active | — | — |
| Okta 2024+ | active | — | — |

## 解决方案

1. ```
   Register the missing scope in the authorization server's client configuration. For Keycloak, navigate to Clients > [Your Client] > Client Scopes > Add Client Scope, then assign the scope. For Spring Authorization Server, update the RegisteredClient definition:
RegisteredClient registeredClient = RegisteredClient.withId("client-id")
    .clientId("my-client")
    .scope("admin") // Add the missing scope
    .build();
   ```
2. ```
   If the scope should not be granted broadly, use a scope that is already registered and map it via a custom claim. For example, request 'read' scope and map it to admin privileges server-side.
   ```

## 无效尝试

- **** — The server must explicitly allow the scope for the client. (80% 失败率)
- **** — Scope validation applies to all grant types. (60% 失败率)