Last Updated: Dec 3, 2024
Overview
When configuring the Delegated Admin extension, the user gets a missing scope read:users error when opening the extension page.
###$ Troubleshooting
Verify the following:
- Verify that the client being used by DAE actually have the read:users scope for the Management API.
- Check if the DAE roles are correctly populated in the ID Token.
Applies To
- Delegated Admin extension
Cause
This error can happen due to two reasons:
- The client not having the
read:users
scope - The user’s roles are not being propagated to DAE properly. This is the likely reason in most cases.
Solution
Verifying the following and fixing any issues there will get it working:
- Whether the roles are defined with the same names as documented: Delegated Administration Extension v3
- Whether at least one role is assigned to the user who is logging in
- Whether you have an Action (or a rule) that adds the roles to the ID token. There is an example
Action
in the document linked above.
If none of this works, get a HAR file and inspect the ID token being passed to DAE. Check if the roles are populated there and if not, debug accordingly. For example, the Action might not have been bound to the Post-Login flow.