When attempting to request groups for an OpenID Connect application through a custom Authorization Server such as default, the groups scope is being requested and results in an invalid_scope error:
One or more scopes are not configured for the authorization server resource.
- OpenID Connect
- API Access Management
- Groups claim
- Scopes
When requesting groups through the Okta Org Authorization Server, a special scope called "groups" is set up that allows to request the claim that was set up from the app's settings. When using a custom Authorization Server, these claims need to be set up on the Server instead of the app settings, and the special "groups" scope is not automatically created.
When a groups claim is created in an Authorization Server, it can be included in a specific token at all times or tie it into a scope. To mimic the behavior of the Okta Org Authorization Server, please create a new scope called groups and then configure a custom groups claim be included when that scope is requested.
1. Create a Scope called groups to match the name we have for the Org Authorization Server on the Authz Server from the Scopes"tab:
2. Switch to the Claims tab and create a custom claim named groups to match the default name for an App's groups claim, making sure to set the Token type to ID Token and switching Include in from Any scope to The following scopes: before typing in groups in the box that will come up and choosing it from the dropdown that will pop up to set it to be included in the specific Scope created in step 1:
