OIDC via WindowsSSO Authentication (or another Begin Site) fails with 'Invalid_Scope' or 'Unknown scope'

    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • Cloud
  • Hybrid
  • On Premises
  • Version Affected:   21.04 and below

    OIDC Realms configured to login via WindowsSSO (this can also apply to other Being Site options) can fail with 'Invalid_Scope' and 'Unknown scope' even though the correct scopes are available

    This is caused by the URL parameters being encoded twice, once when the request hits SecureAuth.aspx and again when the call is passed to WindowsSSO.aspx (or the selected Begin Site)

    This can be confirmed by looking through the Debug log during the authentication attempt, at which point, similar to the below can be seen where the requested Scopes are seen as a single Scope

    Message="[ScopeValidator].[ValidateScopesWithRealm]: Scope 'profile+email+openid' is not defined in realm configuration."
    Message="[AuthorizeEndpointHandler].[ValidateParameters]: Unknown scope."

    This issue has been fixed in the below HF levels, and newer HF levels:
    9.3 HF25
    19.07.01 HF32
    20.06 HF9
    21.04 HF1



    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.