This article discusses the following error that is received when making an /authorize call:
{
"error": "invalid_scope",
"error_description": "One or more scopes are not configured for the authorization server resource."
}
- OpenID Connect
- Authorization servers
- Scopes
This error occurs when using a scope that does not exist or is not compatible with either the Okta org authorization server or the custom authorization server.
To resolve this error, first determine whether an Okta Org authorization server or a custom authorization server is in use. Learn about the differences between these server types in the Available authorization server types documentation.
Okta Org authorization server
If using an Org authorization server, note that custom scopes cannot be created.
-
Here is an example of requesting an openid scope required for any OpenID request connect flow. See OpenID Connect - Scope values for more information. If the
openidscope value is not present, the request may be a valid OAuth 2.0 request, but it is not an OpenID Connect request.https://{OktaDomainName}/oauth2/v1/authorize? client_id=0oabucvyc38HLL1ef0h7& response_type=code&scope=openid& redirect_uri=https%3A%2F%2Fexample.com& state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601 - Here is an example of obtaining scoped OAuth 2.0 access tokens. For a complete list of available scopes, see the OAuth 2.0 scopes documentation. Each access token enables the bearer to perform specific actions on specific Okta endpoints. The scopes within the access token control that ability.
For more information, refer to OAuth for Okta and OAuth for Okta with a service app documentation.https://{OktaDomainName}/oauth2/v1/authorize? client_id=0oan47pj9BsB30h7& response_type=token& response_mode=fragment& scope=okta.users.read& redirect_uri={PersonallyConfiguredRedirectUri}& nonce=UBGW&state=1234
Custom authorization server
If a custom authorization server is used, ensure it has the required scopes configured and an appropriate access policy and rule to permit them. For configuration steps in Okta, see Create Scopes.
- The
/oauth2/default/v1/authorizeendpoint is for predefined custom authorization servers and supports custom scopes, but it is a must to configure them first.- Below is an example of requesting a custom scope named "customScope".
https://{OktaDomainName}/oauth2/default/authorize? client_id=0oabucvyc38HLL1ef0h7& response_type=code&scope=openid+customScope& redirect_uri=https%3A%2F%2Fexample.com& state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601
- Below is an example of requesting a custom scope named "customScope".
-
It is also possible to create and use a personally configured custom authorization server. The
{authorizationServerId}is a unique identifier (for example,aus9o8wzkhckw9TLa0h7z).-
This example requests a custom scope called "customScope".
https://{OktaDomainName}/oauth2/aus9o8wzkhckw9TLa0h7z/authorize? client_id=0oabucvyc38HLL1ef0h7& response_type=code&scope=openid+customScope& redirect_uri=https%3A%2F%2Fexample.com& state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601
-
Related References
- Authorization Servers Overview
- Customize Authorization Server Guide
- Creating a Scope for an Authorization Server in Okta
- API Access Management
- OAuth 2.0 Scopes
