{ "id": "api/oauth2-invalid-scope", "signature": "400 Bad Request: invalid_scope. The requested scope is invalid, unknown, or malformed.", "signature_zh": "400 错误请求:invalid_scope。请求的作用域无效、未知或格式错误。", "regex": "invalid_scope", "domain": "api", "category": "auth_error", "subcategory": null, "root_cause": "OAuth2 authorization request includes a scope value not recognized by the authorization server or not granted by the user.", "root_cause_type": "generic", "root_cause_zh": "OAuth2授权请求包含授权服务器未识别或用户未授予的作用域值。", "versions": [ { "version": "OAuth 2.0 RFC 6749", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Google Identity Platform", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Auth0 Node.js SDK v3.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Adding extra scopes without checking server documentation leads to immediate rejection by the authorization server.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "Using deprecated scope names (e.g., 'email' vs 'openid email') causes 400 error because the server expects specific format.", "fail_rate": 0.7, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Verify the exact scope names supported by the API provider. For Google OAuth2, use 'openid email profile' instead of 'email profile'. Example: GET https://accounts.google.com/o/oauth2/v2/auth?scope=openid%20email%20profile&...", "success_rate": 0.95, "how": "Verify the exact scope names supported by the API provider. For Google OAuth2, use 'openid email profile' instead of 'email profile'. Example: GET https://accounts.google.com/o/oauth2/v2/auth?scope=openid%20email%20profile&...", "condition": "", "sources": [] }, { "action": "Remove any custom or unsupported scopes from the request. Check the provider's documentation for allowed values (e.g., 'read', 'write', 'admin').", "success_rate": 0.9, "how": "Remove any custom or unsupported scopes from the request. Check the provider's documentation for allowed values (e.g., 'read', 'write', 'admin').", "condition": "", "sources": [] }, { "action": "If using incremental authorization, ensure the scope parameter is a space-delimited string, not comma-separated.", "success_rate": 0.85, "how": "If using incremental authorization, ensure the scope parameter is a space-delimited string, not comma-separated.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Verify the exact scope names supported by the API provider. For Google OAuth2, use 'openid email profile' instead of 'email profile'. Example: GET https://accounts.google.com/o/oauth2/v2/auth?scope=openid%20email%20profile&...", "Remove any custom or unsupported scopes from the request. Check the provider's documentation for allowed values (e.g., 'read', 'write', 'admin').", "If using incremental authorization, ensure the scope parameter is a space-delimited string, not comma-separated." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2", "official_doc_section": null, "error_code": "invalid_scope", "verification_tier": "ai_generated", "confidence": 0.9, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2023-06-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }