Access_denied error when “trying” Kakao social connection

Help
, ,
1

I just set up my Kakao social connection. When I hit the Try Connection button, I get the following error message:

  "error": "access_denied",
  "error_description": "Invalid scope: profile"

Since the underlying code that implements Kakao social login is not provided, debugging was limited, and I couldn’t find the cause of the problem.

(One possibility: It may or may not be the problem of inequivalence of parameter Id.
What permissions Auth0 is requesting: profile.
What permissions Kakao provides as an accessible parameter(attribute) Id: profile_nickname, profile_image )

What is the problem? Thanks!

Also, could you (Auth0 developement team) please add more attributes on the permissions list?
There are about ten more attributes that Kakao is providing but are not in the Auth0 Kakao social connection permissions list.

1 Like
2

Hi @imnoone ,

I know this is a very late response but I found this thread while looking for answers to the same issue you’ve experienced!

I did some more digging into the issue, and it seems like Kakao has made some changes to their OAuth OIDC flow and separated the profile consent to two separate consents, profile_nickname and profile_image . While old Kakao application registrations can use the profile scope, new application registrations must use the profile_nickname and profile_image scopes. You can read more about this change here - 닉네임/프로필 사진 동의 항목 분리 및 API 응답 변경사항 안내 / [Change Notice] Separation of consent items (nickname/profile image) and API response - Notice / 공지 - 카카오 데브톡.

Due to this change, the Kakao social connection provided by Auth0 is incompatible with the new flow. I will report this to the Engineering team, but it will take some time for them to review this change and update the Kakao social connection to support the new flow.

Having said that, you can still create a Custom Social Connection in Auth0 to support the new flow. I will share how to configure a Custom Social Connection here.

  1. Create a Custom Social Connection by navigating to Authentication → Social → Create Connection → Create Custom
  2. Set the name as Kakao (or a name you prefer)
  3. Add Authorization URL as - https://kauth.kakao.com/oauth/authorize
  4. Add Token URL as - https://kauth.kakao.com/oauth/token
  5. Add the Scope as - profile_nickname profile_image account_email
  6. Add the Client ID obtained Kakao Developer Portal (App Keys → Rest API Key)
  7. Add the Client Secret obtained from Kakao Developer Portal (Kakao Login → Security)
  8. Use the below code for Fetch User Profile Script 
function fetchUserProfile(accessToken, context, callback) {
  request.get(
    {
      url: "https://kapi.kakao.com/v2/user/me",
      headers: {
        Authorization: "Bearer " + accessToken,
      },
    },
    (err, resp, body) => {
      if (err) {
        return callback(err);
      }

      if (resp.statusCode !== 200) {
        return callback(new Error(body));
      }

      let bodyParsed;

      try {
        bodyParsed = JSON.parse(body);
      } catch (jsonError) {
        return callback(new Error(body));
      }

      const profile = {
        user_id: bodyParsed.id,
        name: bodyParsed.kakao_account.profile.nickname,
        picture: bodyParsed.kakao_account.profile.thumbnail_image_url,
        email: bodyParsed.kakao_account.email,
        email_verified: bodyParsed.kakao_account.is_email_verified,
      };

      callback(null, profile);
    }
  );
}

That’s it! Now you should be able to test the connection by using the “Try Connection” button.

You can also set an icon to the connection using the Update a connection endpoint of the Management API (Auth0 Management API v2). Follow the steps given below to set the connection icon.

  1. Obtain a Management API Access Token by Navigating to the Applications → APIs → Auth0 Management API → API Explorer
  2. Copy the Connection ID of the Custom Social Connection you just created. You can obtain the connection id by navigating to Authentication → Social → SELECT YOUR CONNECTION and on the settings page, you should see the Identifier value.
  3. Using a tool like Postman or API Explorer, call the Get a connection endpoint of the Management API to retrieve all the connection setting parameters. (Auth0 Management API v2)
  4. You should get an JSON object similar to the example given below.
{
  "id": "CONNECTION ID",
  "options": {
    "scope": "profile_nickname profile_image account_email",
    "scripts": {
      "fetchUserProfile": "<FETCH USER PROFILE CODE>"
    },
    "tokenURL": "https://kauth.kakao.com/oauth/token",
    "client_id": "CLIENT ID",
    "client_secret": "CLIENT SECRET",
    "customHeaders": "",
    "authorizationURL": "https://kauth.kakao.com/oauth/authorize"
  },
  "strategy": "oauth2",
  "name": "Kakao-2",
  "is_domain_connection": false,
  "enabled_clients": [
    "CLIENT ID"
  ],
  "realms": [
    "Kakao-2"
  ]
}
  1. Copy the options object from the response you’ve received on step 4 and add the icon_url value to it. Example is given below.
{
   "options":{
      "scope":"profile_nickname profile_image account_email",
      "scripts":{
         "fetchUserProfile":"<FETCH USER PROFILE CODE>"
      },
      "tokenURL":"https://kauth.kakao.com/oauth/token",
      "client_id":"CLIENT ID",
      "client_secret":"CLIENT SECRET",
      "customHeaders":"",
      "authorizationURL":"https://kauth.kakao.com/oauth/authorize",
      "icon_url": "https://cdn.auth0.com/marketplace/catalog/content/assets/creators/kakao/kakao-avatar.png"
   }
}
  1. Send the options object to the Update a connection endpoint (Auth0 Management API v2)

Now, the connection’s icon will be properly displayed in the Universal Login Page.

1 Like
3

Thanks for helping on this one @supun!