"missing scope read:users" error in Delegated Admin extension

Problem statement

When configuring Delegated Admin extension, we get a “missing scope read:users” error when opening the extension page.

Troubleshooting

Verify the following:

1. Verify that the client used by DAE has the read:users scope for the Management API
2. Check if the DAE roles are correctly populated in the ID Token

Cause

This error can happen due to two reasons:

1. The client not having the read:users scope
2. The user’s roles are not being propagated to DAE properly. This is the likely reason in most cases.

Solution

Verifying the following and fixing any issues there will get it working:

1. Whether the roles are defined with the same names as documented: Delegated Administration Extension v3
2. Whether at least one role is assigned to the user who is logging in
3. Whether you have an Action (or a rule) that adds the roles to the ID token. There is an example Action in the document linked above.

If none of this works, get a HAR file and inspect the ID token being passed to DAE. Check if the roles are populated there and if not, debug accordingly. For example, the Action might not have been bound to the Post-Login flow.