WSO2 Identity and Oauth2 - Userinfo throws Error: Insufficient Scope

Question

Testing the oauth2/userprofile query for Oauth2 with the following Python code:

        verify='/home/claudef/tmp/oauth2/oauth/wso2.pem'
        url  = "https://extbasicpacman05.podc.sl.edst.red.com:9443/oauth2/userinfo?schema=openid"
        headers = { 'Authorization' : "Bearer " + access_token } 
        r = requests.get(url, headers=headers, verify=verify)

I get the following error message from the WSO2 Identity server:

error":"insufficient_scope","error_description":"Access token does not have the openid scope"

Checking the data that returns from the bearer token emission, I see a default value of scope=profile, which does not match the default in the userinfo query, what likely uses the value scope=openid.

u'token_type': u'bearer', u'scope': u'profile', u'access_token': u'7ae4542fe322d3aba67bf0625039d5f6', u'expires_in': 73, u'refresh_token': u'92d915a25d8bef6ca7ec7b70664c5cbf'}

The same error also shows up when using a cURL command.

Please give me some guidance how fix this issue to read userinfo data from the WSO2 server.

Answer 1

I've isolated the issue. It is required to place the scope value at the initial request for an authorization code, adding the argument right from the begin of the Oauth2 authentication sequence. Adding the "scope=openid" argument, as shown below, fixed the issue

<a href="https://extbasicpacman05.podc.sl.edst.red.com:9443/oauth2/authorize?client_id=SXpu7Iaz13YoxM6uT6Lhcu1ixlga&response_type=code&scope=openid&redirect_uri=http://localhost:8080/resources/oauth2Callback&requestedAuthnPolicy=http://www.ibm.com/idaas/authnpolicy/basic">Login via Oauth2</a>