scope error

when updating user via rest api PUT /d2l/api/lp/(version)/users/(userId)
my app registration has the following scops:
core:*:* enrollment:*:* groups:*:* organizations:*:* orgunits:*:* role:detail:* users:userdata:*
still get the error : "No scopes defined for specified requests."


  • The scopes you register your app with only express the scopes that your app could ask for when requesting a token. You must still specify the scopes you want when actually making a token request; even in that case, in theory, the Brightspace Auth service could only provide a token with a subset of the scopes that were requested, so you may want to verify you got the scopes you asked for and/or be able to copy gracefully with not having all the scopes you asked for (I say in theory, because even though we're within the bounds of OAuth2 to behave that way with token scopes, I'm not sure the Brightspace Auth service would actually do that: give you a token with only a subset of the requested scopes).

    Please verify that:
    - when making a token request, you're asking for the scopes you expect to need with that token
    - if you can, the token you've received actually has the scopes you expect it to have

  • Chadi.A.823
    Chadi.A.823 Posts: 4 🔍

    Thanks Viktor! but i am doing exactly that, asking for the scops i need and checking that i have received them. but still getting the same error message. it sounds very weird to me.

  • Viktor.H.147
    Viktor.H.147 Posts: 38
    edited February 14

    That does sound weird, and I'm not sure I have much to add; you could try requesting the more specific users:userdata:update scope, but that should not matter. What API version are you using here (that also should not matter, though, as the users:userdata:update scope should apply to all versions of that API action)?

  • Chadi.A.823
    Chadi.A.823 Posts: 4 🔍

    I tried all that but it didn't work out.

  • James.C.331
    James.C.331 Posts: 8 🌱

    If you can share the URL you are using for your auth request it might help diagnose the issue. You could remove the client id & redirect uri if you don't want to share those. Alternatively, you could just share the scope parameter from the auth url to see if there's an issue there.