Access Management 9.6 - Inavlid_Scope Error on redirect of requests
000020102 |3/17/2023 9:24 PM
Scope/Environment
Tridion Sites 9.6, Access Management
Symptoms/Context
Using Access Management 9.6 and an 'OpenIDConnect' provider. The redirect gets an error:
Error:
==============================================================================
Category: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler
Message contains error: 'invalid_scope', error_description: 'The requested scope is invalid, unknown, malformed, or exceeds that which the client is permitted to request.', error_uri: 'error_uri is null'.
===================================================================================================
OpenIdConnect Parameters:
========================================================================================
"parameters": {
"$type": "OpenIdParameters",
"authority": "https://authority-url/",
"clientId": "client Id",
"clientSecret": "client secret",
"endSessionEndpoint": "https://session-endpoint-url/idp/*.ping",
"responseType": "code",
"sendIdTokenHintDuringLogout": false,
"separator": "",
"usernameClaim": "username",
"fullNameClaim": "fullname"
}
"redirectUrl": "https://rediect-url/access-management/psgcd_cme_am/signin-oidc",
"postLogoutRedirectUrl": "https://logout-redirect-url/access-management/psgcd_cme_am/signout-oidc"
=========================================================================================================
|
Resolution
A hotfix is available for Tridion Sites 9.6 that allows to determine what scope parameters are required before constructing the request. AccessManagement_1.1.0.31852 It is available via FTP as per: Where can I find hotfixes for SDL Tridion Sites/Web? |
Root Cause
The IDP does not allow certain scopes that are optional but Access Management by default always requests openid, profile, and email from the IDP. In the above example, email is causing the error. |
Reference