This article explains why an endpoint protected by an OAuth Access Token returns the following error:
403 insufficient_scope
- Userinfo endpoint
- Management endpoints
- OAuth 2.0
When making a request to an endpoint that supports Bearer token authentication (for example, /oauth2/v1/userinfo or /api/v1/users), an insufficient_scope error can be returned in the www-authenticate header when the token that was used was not granted the required scope to access that resource.
Example error returned in the www-authenticate response header:
www-authenticate: Bearer authorization_uri="http://subdomain.okta.com/oauth2/v1/authorize", realm="http://subdomain.okta.com", scope="openid", error="insufficient_scope", error_description="The access token provided does not contain the required scopes.", resource="/oauth2/v1/userinfo"Within the www-authenticate response header, the error will indicate what scope is required to access the requested endpoint. For example, if making a call to /oauth2/v1/userinfo, the Access Token used must be granted the `openid` scope, while a request to /api/v1/groups requires the 'okta.groups.read` or `okta.groups.manage` scope.
When requesting a token to use against an endpoint secured by OAuth, ensure that the client includes the necessary scope in its /authorize or /token request.
