Scope parameter is not supported on an authorization code access_token exchange request.

[akselhenriksen79]

Hi!

We're getting this error when trying to login;

"{"error_description":"Scope parameter is not supported on an authorization code access_token exchange request. Scope parameter should be supplied to the authorize request.","error":"invalid_request"}"

The values of the field "OpenID Scope" are set to: profile email

[timnolte]

@akselhenriksen79 what Identity Provider are you using?

[akselhenriksen79]

@timnolte Our client's own identity provider. Is this a problem on their end? It happens everytime they try to login

[timnolte]

@akselhenriksen79 this sounds like a misconfigured IDP. Are they using their own Keycloak install? What service is providing your clients IDP?

[akselhenriksen79]

Hi again Tim, Their service they're using as IDP is Forg Rock OpenAM.

I got a response now from the team responsible for the IDP;

"As discussed over call, we checked and see that from the HAR file, {IDP} has successfully authenticated and has returned the code for the authorization_code grant flow but there is an error on the app url which needs to be checked from the application end. Attaching screenshot from the trace, in which it shows that code was returned. Also, we tried to make a call in postman and were able to get the token with the code, so client id config looks fine. Request you to please check with the application vendor and let us know if any changes required from our end or if you have any question."

[Glowsome]

In regards of scope, expecting OIDC-compliant responses always add (next to the wanted scopes) the openid scope. So The values of the field "OpenID Scope" should be set to: openid profile email