Guide

You get a Scope must include openid error

Suggest Edits

This one is remarkably straightforward. You make an authorization request, and that request fails with the following error:

img

That error message means exactly what it says. When you make an authorization request, you must include the scope parameter:

https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/login/authorize
   ?client_id=a123ef65-83dc-4094-a09a-76e1bec424e7
   &redirect_uri=https://oidc-playground.akamai.com/redirect_uri
  &scope=openid 
   &code_challenge=YvOW993Xx4mIG7s8E6WUkC9f4CcQ5nT7sSkR6t_HP3Q
   &code_challenge_method=S256
   &response_type=code
   &state=O-TheDTtiW194aCiQiBlra11lB_jFeLqnYv1Db-cbxw

As a general rule, the scope parameter specifies the user profile information that will be accessible from the userinfo endpoint after a successful authentication. In turn, that means you can access this information simply by connecting to the userinfo endpoint, without having to use the Identity Cloud APIs to query the user profile itself.

But there’s a catch here: not only do you need to include the scope parameter, but you must include the openid scope as well; the openid scope lets the authorization server know that you are making an OpenID Connect request. Suppose you forget to include the openid scope:

https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/login/authorize
   ?client_id=a123ef65-83dc-4094-a09a-76e1bec424e7
   &redirect_uri=https://oidc-playground.akamai.com/redirect_uri
  &scope=address 
   &code_challenge=YvOW993Xx4mIG7s8E6WUkC9f4CcQ5nT7sSkR6t_HP3Q
   &code_challenge_method=S256
   &response_type=code
   &state=O-TheDTtiW194aCiQiBlra11lB_jFeLqnYv1Db-cbxw

What happens then? This happens:

img

In other words, there’s an easy fix: if you get a scope must include ‘openid’ error message all you have to do is modify your authorization request to include the openid scope. For example:

https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/login/authorize
   ?client_id=a123ef65-83dc-4094-a09a-76e1bec424e7
   &redirect_uri=https://oidc-playground.akamai.com/redirect_uri
   &scope=openid address 
   &code_challenge=YvOW993Xx4mIG7s8E6WUkC9f4CcQ5nT7sSkR6t_HP3Q
   &code_challenge_method=S256
   &response_type=code
   &state=O-TheDTtiW194aCiQiBlra11lB_jFeLqnYv1Db-cbxw

Updated almost 3 years ago