Invalid Scope

[Ryan O'Connor]

Hi Everyone,

I am receiving the following error from the sandbox.  Can anyone help me out here? 

http://localhost:1701/Login.aspx?error=invalid_scope&error_description=Invalid%20scope;%20requested:%5Bpatient/*.read,%20openid,%20profile,%20launch,%20user/*.*%5D&state=cd27dfaf-aab8-4a89-9939-6963b8af4ab5&scope=launch%20patient/*.*%20openid%20profile

So far everything seems to work okay.  I have my Launch.aspx loading the correct clientID and sessionID(state), but I cannot get past this scope error.  Is this something that needs to be set on the Sandbox?

Thanks in advance.

Ryan

[Ryan O'Connor]

Ok, I figured it out but I don't like the reason why.  It looks like the scope has to be an exact string match between what is set in the sandbox and what is set my code.   Once I made the strings match, I was able to get in. 

[Nikolai Schwertner]

Just to clarify, by "exact match" you mean that the requested scopes need to be present in the OAuth client's allowed scopes exactly (i.e. "patient/*.read" authorization request won't be granted even if "patient/*.*" is in scope for the client), and not that the scopes need to match precisely as a set ("ScopeA, ScopeB, ScopeC" is equivalent to "ScopeB, ScopeA, ScopeC"), correct?

--
You received this message because you are subscribed to the Google Groups "SMART on FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhi...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ryan O'Connor]

When registering a Sandbox app (https://sandbox.smarthealthit.org/smartdstu2/#/manage-apps), part of the Registered App Details has an input for Scopes.  Mine happened to be "launch patient/*.* openid profile".  In my javascript client, I had them reordered to "openid launch patient/*.* profile".  I kept getting an invalid scope message when trying to connect.  When I rearranged my javascript array to output the exact (===) match as the scope that I registered, all flowed nicely with no error.  It would be nice if that scope string is tokenized, sorted, and compared to a tokenized sorted string so that at least in the sandbox environment (A B C) equals (C B A).

[Justin Richer]

OAuth scopes are supposed to be tokenized on spaces with order not mattering — something is wrong here. I would guess that either the auth server is buggy, or it’s possible that you registered the single scope “A B C” instead of three different scopes, “A”, “B”, and “C”. 

 — Justin

[Ryan O'Connor]

That's what I thought too.  I am sure that I put spaces between each "scope" when entering it on the form.  Seems like a backend issue to me.

[Travis Cummings]

Hi Ryan,

If you select the "Registered Apps" section, and choose "edit" for your app in question, what values to you see in the "scopes" area?  Here you can also update the scopes your client is registered using on the auth server.

Also, you can see your client registration directly at https://sb-auth.smarthealthit.org/auth/.

Could you also provide the full URL for the invalid scope response?  That URL should contain the requested scopes and the authorized scopes.

Thanks,

Travis

[Ryan O'Connor]

Registered App Scope: launch patient/*.* openid user/*.* profile  <- This is what I described

http://localhost:1701/Login.aspx?error=invalid_scope&error_description=Invalid%20scope;%20requested:%5Bpatient/*.*,%20openid,%20profile,%20launch,%20user/*.*%5D&state=cd27dfaf-aab8-4a89-9939-6963b8af4ab5&scope=launch%20patient/*.*%20openid%20profile

Ok, looks like my output did not match the requested scope.  My error. (missing user/*.*).  I now have a unit test to build.  :-)

Ryan

To unsubscribe from this group and stop receiving emails from it, send an email to smart-on-fhir+unsubscribe@googlegroups.com.