Announcements

scope parameter should not be optional

Reply

scope parameter should not be optional

Casual Listener

Hi,

 

     I am trying to use the Oauth2 / OIDC authentication provided by spotify. According to OpenID Connect documentation, the parameter scope is not optional, but required. I am using a quarkus extension who passes "oidc" as value to this parameter (as defined in openid connect documentation), but the spotify's webapi is returning a message : 

 

"illegal scope"

 

for my url :


"&scope=openid+user-read-private+user-read-email"

 

     but the scope openid is not really "illegal", according to the docs. How could I workaround this issue? The api isn't suppose to accept this value?

 

Kind Regards, 

 

Rafael

 

 

3 Replies

Re: scope parameter should not be optional

Rock Star 16
Rock Star 16

Hey @rafaeland, thanks for posting here!

Let's dive right into this. I've taken a look and the documentation for the OpenID Connect Core states: 'OpenID Connect requests MUST contain the openid scope value'. It sounds like this is specific to this product from OpenID. 

 

OAuth is a standard which is implemented by multiple services. Their implementation might differ a bit. The standard is described here: https://tools.ietf.org/html/rfc6749.

 

Let me know if you have any questions!

 

Have a good one,

Hubo 

HuboRock Star 16
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.

Re: scope parameter should not be optional

Casual Listener

Hi, thank you for the prompt answer.

 

     OIDC is an implementation of OAuth2, not the specification per see... I think you're right. Let me investigate further from my side on how can I use pure OAuth2. 

 

Kind regards, 

Re: scope parameter should not be optional

Regular

Might be a silly idea, but have you tried %20 instead of the + for the space delimiter in your scope list?

SUGGESTED POSTS