Google OIDC error. "Error 400: invalid_scope. Requests for only id token must contain a subset of [openid, email, profile] scopes."

Question

We have a react app which is authenticated with Google OIDC. It was working fine and suddenly users got below error out of nowhere.

Error 400: invalid_scope. Requests for only id token must contain a subset of [openid, email, profile] scopes

We need to access user data so our scope for auth provider is,

export const AUTH_OIDC_SCOPE ='https://www.googleapis.com/auth/admin.directory.user'

Auth code:

  const provider = new firebase.auth.OAuthProvider(AUTH_PROVIDER)
  provider.addScope(AUTH_OIDC_SCOPE)

  const authenticateWithGcp = () => {
    firebase
      .auth()
      .signInWithPopup(provider)
      .catch((error) => {
        return error
      })
  }

  useEffect(() => {
    firebase.auth().onAuthStateChanged((user) => {
      if (user) {
        user.getIdToken(true).then((token) => {
          ....
        })
      } else {
        authenticateWithGcp()
      }
    })
  }, [])

Any idea how to fix the error, while keeping admin.directory.user in scope?

Answer 1

If you look at the error message, it says "Requests for only ID token" and that is the problem here.

when you ask for only the ID-token, then you need to ask for the user details like openid, email or profile..... Otherwise the id-token would be empty.

And just asking for the ID-token means that you don't want any access token. So that means the AUTH_OIDC_SCOPE should be

AUTH_OIDC_SCOPE ='openid email profile' 

If that is want you meant to do.