When attempting to make an /authorize call to Okta, the request fails, and the following error message is sent to the configured redirect_uri: "Custom scopes are not allowed for this request."
Error example:
Additionally, Okta logs an event in the System Log containing the following failure message:
This error typically occurs when using an authorization URL targeting the Org Authorization Server, as shown in the example below.
Note that there is a custom scope called "someCustomScope" being used in this authorize request:
https://{OktaDomainNAme}/oauth2/v1/authorize?
client_id={clientId}&
response_type=code&
scope=openid someCustomScope&
redirect_uri=http://localhost:8080/authorization-code/callback&
state=state-123
This same error can also occur when the Client Credentials flow is being used. In this case it is a call to the /token endpoint that contains the custom scope, instead for the /authorize call.
- API Access Management (API AM)
- OpenID Connect (OIDC)
This error occurs because custom scopes are being requested from the Okta Org Authorization Server.
The Org Authorization Server only supports standard OIDC scopes and Okta API scopes. Because custom scopes cannot be configured or recognized within the Org Authorization Server, including them in the scope parameter of the /authorize or /token request causes the validation to fail.
To successfully request custom scopes, route the /authorize (or /token) call through the Custom Authorization Server where the specific custom scope is defined. Like in the example below:
https://{OktaDomainName}/oauth2/{customAuthorizationServerId}/v1/authorize?
client_id={clientId}&
response_type=code&
scope=openid someCustomScope&
redirect_uri=http://localhost:8080/authorization-code/callback&
state=state-123
NOTE: Custom Authorization Servers require the API Access Management (API AM) feature. If the Authorization Servers tab is missing under Security > API in the Okta Admin Console, the Okta org does not have the API AM feature.
