Overview
This article will describe resolving an issue where a leading whitespace in an /authorize request appears. This whitespace can cause failed logins with the following error message:
Invalid scopes: openid email profile
Applies To
- OIDC Connections
- Scopes
Cause
If two sets of scopes are present in an OIDC connection, a leading whitespace will appear in the /authorize request.
Solution
There are two options:
Option 1: Remove the “userinfo_scope”: “openid email profile” line from the connection’s options object. Steps to remove “userinfo_scope”: “openid email profile”:
- Get the connection by calling the Get a connection endpoint.
- Copy the response and paste elsewhere to save if needed.
- Remove “userinfo_scope”: “openid email profile” from the object obtained above and update the same connection with the resulting object using the Update a connection endpoint.
- Retry logging in. The whitespace will no longer be present, and the /authorize request will look something like this:
https://DOMAIN/authorize?client_id=CLIENT_ID&scope=openid%20email%20profile&...
Option 2: Update the “mapping_mode” to “bind_all”. Follow steps above, but instead of removing “userinfo_scope”, change “mapping_mode” to “bind_all”. Example:
{
"attributes": {
...
},
"mapping_mode": "bind_all",
"userinfo_scope": "openid email profile"
}