This article covers the reason behind the error message below that is encountered during the /authorize call in Okta"

Custom Scopes Are Not Allowed for This Request

• Okta Identity Engine (OIE)
• Classic Engine
• Org Authorization Server
• Custom Authorization Server
• Authorization Code Grant
• Implicit Grant
• Interaction Code Grant
• API Access Management

The primary cause of this error is when requesting custom scopes from the Org Authorization Server in Okta. The Org Authorization Server only supports Okta's default API scopes and does not recognize custom scopes, as they cannot be configured in the Org Authorization Server. This limitation leads to an error when custom scopes are included in the scopes parameter in the authorization request.

Example Authorization URL for Org Authorization Server:

https://{yourOktaDomain}/oauth2/v1/authorize?
     client_id={clientId}&
     response_type=code&
     scope=openid someCustomScope&
     redirect_uri=http://localhost:8080/authorization-code/callback&
     state=state-123

Example Error Response:

http://localhost:8080/authorization-code/callback?
    state=state-123&
    error=invalid_scope&
    error_description=Custom+scopes+are+not+allowed+for+this+request.

NOTE: The error message will be sent to the redirect_uri configured in the authorize call.

When requesting custom scopes while making the /authorize call, ensure that the request URL includes the custom authorization server ID where the custom scope is defined.

Example Authorization URL for Custom Authorization Server:

https://{yourOktaDomain}/oauth2/{customAuthorizationServerId}/v1/authorize?
     client_id={clientId}&
     response_type=code&
     scope=openid someCustomScope&
     redirect_uri=http://localhost:8080/authorization-code/callback&
     state=state-123

Related References

• Okta Authorization Servers
• Which Authorization Server Should You Use
• Okta API Access Management