https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> When I use the wildcard scope strat...
# ory-copilot
s
@chilly-king-10285 When I use the wildcard scope stratgey with scopes 
inventory
, 
inventory.product
, 
inventory.bundle
for a OAuth Client, then I'm getting the following error, when requesting the scope inventory.* :
Copy code
Request:
POST <BaseURL>/oauth2/token
{
  "grant_type": "client_credentials",
  "client_id": "c1d049cc-6efa-4b83-a776-69bd84ec089b",
  "client_secret": "0ifDzr.wufYbxYKMhvPolBT-zI",
  "scope": "inventory.*"
}

Response:
{
  "error": "invalid_scope",
  "error_description": "The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'inventory.*'."
}
Why do I get that error? What do I need to do to fix this?
b
A message from kapa.ai
The error you're encountering is related to how the wildcard scope strategy works in Ory. When you define scopes like 
inventory
, 
inventory.product
, and 
inventory.bundle
for your OAuth client, you can't directly request a wildcard scope like 
inventory.*
in your token request. ## Understanding the issue The wildcard scope strategy in Ory works differently than you might expect: - When you define a scope like 
foo.*
for a client, it matches 
foo
, 
foo.bar
, 
foo.baz
, etc. - However, when requesting a token, you need to request the specific scopes you want, not the wildcard pattern itself. As explained in the [Oathkeeper API access rules documentation](https://www.ory.sh/docs/oathkeeper/api-access-rules#scoped-credentials), the wildcard strategy means: > Scope 
foo.*
matches 
foo
, 
foo.bar
, 
foo.baz
but not 
bar
. Scope 
foo
matches 
foo
but not 
foo.bar
nor 
bar
## How to fix it To fix this issue, you have two options: 1. Request specific scopes: Instead of requesting 
inventory.*
, request the specific scopes you need:
Copy code
"scope": "inventory inventory.product inventory.bundle"
2. Add the wildcard scope to your client: If you specifically want to use the wildcard pattern in requests, you need to add 
inventory.*
as an allowed scope for your OAuth client. ## Additional considerations When using Ory Hydra with Oathkeeper, make sure your scope strategies are synchronized between both services as mentioned in the [Oathkeeper documentation](https://www.ory.sh/docs/oathkeeper/oauth2-token-introspection-hydra): > When using Ory Oathkeeper together with Ory Hydra the scope strategy needs to be kept in sync. This ensures consistent behavior across your authentication and authorization infrastructure. Remember that OAuth2 scopes represent user consent and define what the client is authorized to access, as explained in the [OAuth2 concepts documentation](https://www.ory.sh/docs/oauth2-oidc/overview/oauth2-concepts#oauth2-scopes-represent-user-consent).
4 Views
Open in Slack
PreviousNext
Powered by