Custom Scopes in `/.well-known/openid-configuration` Endpoint

Problem statement

We created custom scopes (permissions) under the custom APIs ( dashboard → Applications → APIs → a custom API → “Permissions” tab), and they are asking why these custom scopes are not reflected in the response of /.well-known/openid-configuration endpoint (within the scopes_supported array).

Solution

The OpenID Connection specification that the server SHOULD list the OpenID standard claims, but MAY choose not to advertise some supported scope values even when this parameter is used.

Generally, a client connecting with us within a tenant “knows” what it will get in the scope, so there is no need to advertise the custom scopes.

Advertising the custom scopes in a public endpoint could pose security risks potentially. In some scenarios, it might leak important information that might be used by attackers or competitors to ascertain more info about the nature/function of the service.