Delegated admin SPA missing scope read:users

I’ve just completed the Delegated admin setup turorial and have it working when I set the app_metadata roles manualy. I’ve been trying to set up a rule for it, but I keep getting this error in the logs:
error: name=ForbiddenError, message=Cannot perform action. Missing scope read:users, status=403

I’ve tried to set the API grant read:users in the client application, via the Machine to machine API settings, but that doesn’t seem to work. In the same page there is information that this is not needed for SPA applications.

" Single Page and Native apps do not require further configuration. SPAs can execute the Implicit Grant to access APIs while Native Apps can do Authorize Code with PKCE for the same purpose."

So my question is, where can I set the read:users grant for the Delegated Admin extension, or the application it created?
I tried to set the grants to Implicit on the auto generated application but with no luck.

Hey there @kalle.hoppe!

While I investigate this subject can you please direct message me your tenant so I can reference it while I research? Thanks in advance!

Any update on this? I get the same error. :frowning:

Hi there @ericatil, thanks for resurfacing this topic! When you get a chance can you please share your tenant name in a direct message so we can further dig in? Thanks in advance!

Sent! Thanks for taking a look!

Thank you for sharing the tenant. When you get a chance can you please do a HAR file capture of the delegated admin logging in, as well as sharing the email associated with this the problem experiencing user through our direct message? Thanks in advance!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

This FAQ is related to missing scope read:users, therefore link it to this topic. Hope it helps!