oauth2.dev

invalid_scope

IETF

Registry Context

OAuth error code used when the requested scope is invalid, unknown, malformed, or exceeds what was granted. RFC 6749 also allows an authorization request with no scope to fail with invalid_scope if no default scope applies.

Technical Summary

Registered OAuth 2.0 error value `invalid_scope` for token and authorization error responses. RFC 6749 defines it for invalid scope requests at the token endpoint, authorization code grant, and implicit grant endpoints, and requires the authorization server to either apply a default scope or fail with invalid scope when the authorization request omits `scope`.

When Used

Use when a scope request is invalid, unknown, malformed, or wider than the granted scope; also when an authorization request omits `scope` and the server does not apply a predefined default.

Normative Requirements

Authorization servers

MUST
1

  1. RFC 6749 - Section 3.3

    either process the request using a pre-defined default value or fail the request indicating an invalid scope..

    Condition: if the client omits the `scope` parameter when requesting authorization

    "If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope."

REQUIRED
3

  1. RFC 6749 - Section 4.1.2.1

    include an `error` parameter in authorization code grant error responses, and the value is a single ASCII error code from the RFC 6749 set, which includes `invalid_scope` for scope-related failures..

    Condition: when the authorization code grant request fails for reasons other than a missing or invalid redirection URI

    "error REQUIRED. A single ASCII [USASCII] error code from the following: ... invalid_scope The requested scope is invalid, unknown, or malformed."

  2. RFC 6749 - Section 4.2.2.1

    include an `error` parameter in implicit grant error responses, and the value is a single ASCII error code from the RFC 6749 set, which includes `invalid_scope` for scope-related failures..

    Condition: when the implicit grant request fails for reasons other than a missing or invalid redirection URI

    "error REQUIRED. A single ASCII [USASCII] error code from the following: ... invalid_scope The requested scope is invalid, unknown, or malformed."

  3. RFC 6749 - Section 5.2

    include an `error` parameter in token error responses, and the value is a single ASCII error code from the RFC 6749 set, which includes `invalid_scope` for scope-related failures..

    Condition: when returning a token error response

    "error REQUIRED. A single ASCII [USASCII] error code from the following: ... invalid_scope The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner."

Validation Guidance

error

Accept `invalid_scope` only as an RFC 6749 error value used for scope-related failures defined by the specification.

error

If an authorization request omits `scope`, verify the server either applies a documented default or returns `invalid_scope`.

error

Ensure the serialized `error` value is a single ASCII token and matches exactly `invalid_scope` when that code is used.

Reference

RFC6749

Details

Entry Id
invalid_scope
Name
invalid_scope
Usage Location
authorization endpoint, token endpoint
Protocol Extension
OAuth 2.0 Authorization Framework
Change Controller
IETF
Reference
RFC6749