Kinde
Log in

Welcome to the Kinde community

Updated 2 weeks ago

Having problems with supplying scope to Kinde API

SStephen
·
Hi, I'm trying to add some scopes so that I can use the Kinde API through M2M. My backend for this is .NET but I'm not able to generate a token so I've also tried through Postman. Every time I try to supply a scope when authorising I get something the along the lines of The OAuth 2.0 Client is not allowed to request scope 'read:users'. I have checked that my application is authorised and read:users is enabled in the Kinde admin UI. I am using the audience as per the Kinde UI. Not supplying any scopes allows me to authenticate, but obviously actual API calls fail as I don't have any scopes in my access token. Is there something else I am missing?
Attachment
Screenshot_2024-11-04_at_5.50.31_pm.png
S
C
4 comments
SStephen
I eventually figured it out. The 'Postman' instructions were wrong (or at least Kinde doesn't operate the way Postman expects) when it comes to scope submissions. By default Postman will include scopes in the body, which Kinde rejects with the above error message. However, if you empty out the scopes and manually modify the request (using a similar process to the Kinde instructions on populating the audience, but instead add scopes to the header it works.
Attachment
Screenshot_2024-11-05_at_3.28.15_pm.png
CCB_Kinde
Hey @Stephen I'd love to update our docs so others don't encounter this. Can confirm that the modification need to be about:
  • clarifying scopes need to be in the header
  • To remove any existing scopes in Postman
SStephen
Thanks @Claire_Kinde I think it might need to go back to your engineering team to clarify. If most providers are putting (or at least supporting) scopes in the body then I would argue Kinde should fall in line with industry practice. I created another issue in the #🪲┃bug-reports channel and it looks like for M2M Kinde doesn't even look at the scopes, as long as the app is authorised for the scope, then it's allowed. I'm not sure what industry practice is here but I would suggest it's probably a combination of whatever OAuth 2.0 expects (or is generally agreed upon by vendors) and possibly some documentation updates.
CCB_Kinde
Thanks @Stephen I'll forward your comment to an engineer and see if I can come back to you with an explanation why we might have chosen to do things a certain way. As this isn't a blocker for you, a response might take time. Thanks for your feedback.
Add a reply
Sign up and join the conversation on Discord