When using the client credentials grant, an error similar to the one below, stating that certain scopes cannot be requested, might be received:
Cannot request 'openid' scopes using client credentials
- OAuth 2.0
- Client Credentials Grant
- OpenID Connect (OIDC)
- OIDC Scopes: openid, profile, email, phone
This error is due to passing in OpenID Connect (OIDC) scopes in the request to the /token endpoint (for example, scope=openid) because OIDC scopes cannot be used when grant_type=client_credentials.
The client credentials grant is an OAuth 2.0 flow that provides machine-to-machine authorization, which means authorization when no end-user is involved. An example of an end user is a human who authenticates inside a web browser.
OIDC is an extension to OAuth designed to request profile information about an end user. The client credentials grant does not have an end-user concept, so passing in any OIDC-related scopes with the client credentials grant is invalid.
Review the architecture and ensure the correct grant or flow is used for a specific use case.
If there is a scenario where an end-user is authenticated, and more information about that user is needed (for example, an email address), it will be needed to switch to an OIDC flow.
If information about an end user is not needed because the application itself is authenticated, remove the OIDC scopes from the request to /token. An example of this architecture would be running a daily CRON job on the server that pulls data from an API.
