AnsweredAssumed Answered

Enforcing scope on developer key breaks OAuth flow?

Question asked by John Melson on Feb 27, 2019
Latest reply on Dec 17, 2019 by Mahmoud Abdo

I have an app that uses the OAuth2 flow described here to authorize a user and receive an access token that is then used to make API calls. When I first wrote the app, I didn't select the "Enforce Scopes" option when creating the developer key it uses. But since the app only needs access to a couple of API endpoints, I thought it would be a good idea to restrict the key so that only those specific endpoints would be available to the authorizing user.

 

After making turning on the "Enforce Scopes" option and selecting the endpoints I need, the app now fails to get past the first step in the OAuth2 flow:

GET https://<canvas-instance-url>/login/oauth2/auth?client_id=XXXX&response_type=code&redirect_uri=<my-redirect-uri>

This should just give me the initial code that can be exchanged for an access token, then redirect back to the specified URI. Instead, it gives me this error:

{
   "error":"invalid_scope",
   "error_description":"A requested scope is invalid, unknown, malformed, or
      exceeds the scope granted by the resource owner."
}

Turning off the "Enforce Scopes" option on the developer key results in everything working normally again. None of my application code changed, so the only thing that could be causing the error is the scoping.

 

Am I just misunderstanding how scoping is supposed to work, or is there something I need to change about how I've implemented the OAuth2 flow in my app if I wish to use a developer key with scoping enabled?

Outcomes