[SOLVED] API change - 'scope' is missing

I have…

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [x] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

When sending a request to ‘identity-server/connect/token’, the response once included a parameter called ‘scope’ and now ‘scope’ is missing from the response.

Our code assumes this parameter exists and now because of that all of our content is down.

Expected behavior

Minimal reproduction of the problem


  • [ ] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [x] Cloud version

Version: [VERSION]


  • [ ] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [x] Safari (iOS)
  • [ ] IE
  • [ ] Edge


Can you provide me details, what exactly you send to the server?

Do you remember the value for the scope response?

We send scope in the request (equals to “squidex-api”) and I guess we receive the same value in the response. It is our bug that we assumed scope will be in the response because we don’t do anything with it?

It is pretty much a bug on your side, yes.

The specification says:

scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED. The scope of the access token as described by [Section 3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).

I have replaced the authentication part with another library and this other library seems to follow the spec.

I will see if I can provide a fix.

Thanks! A fix would be very helpful, as it will resolve the issue for previous app versions.

Yes and the certification process for apps is brutal.

I know :slightly_frowning_face:

Do you think a fix is something that can happen anytime soon/today? (asking as we’re also uploading a new version)

Yes, the fix is in the build pipeline now.

@Sebastian Thanks! And the way it should work is automatically? Do we need to do anything on our end?

Yes, I have added a little bit of code to extend the auth framework to always include the scope in the response.

@Sebastian thanks so much! appreciated. I’ll try on our end in 15-20 minutes to see if it’s all back to normal.

It will take a little bit more time. The build process could be faster. I will update you in this thread.

Thank you! I appreciate it.

It is deployed now to the cloud.

1 Like

Thank you for the prompt support! It’s working now!

1 Like

This topic was automatically closed after 2 days. New replies are no longer allowed.