Hydra "The requested scope is invalid, unknown, or malformed"

ORY Hydra
#1

I’m trying to set up an OAuth2+OIDC implicit flow with PKCE. I set up my OAuth2/OIDC client using this command:

docker-compose exec hydra hydra clients create \
--endpoint http://localhost:4445 \
--id test-client \
--secret test-secret \
--response-types code,id_token \
--grant-types refresh_token,authorization_code \
--scope openid,offline \
--callbacks localhost:7999/oauth2/callback --token-endpoint-auth-method none

and I used this URL to manually trigger a login attempt: http://localhost:4444/oauth2/auth?client_id=test-client&scope=offline,openid&response_type=code,id_token,token

I’m however getting this error: level=error msg=“An error occurred” description=“The requested scope is invalid, unknown, or malformed” error=invalid_scope hint=“The OAuth 2.0 Client is not allowed to request scope “offline,openid”.”

How do I fix this? Also, there seems to be no documentation on the CLI anywhere except with the executable itself, which isn’t very accessible.

#2

What are you getting if you run the following command

curl http://localhost:4445/clients
#3 
[
{
    "client_id": "test-client",
    "client_name": "",
    "redirect_uris": [
        "localhost:7999/oauth2/callback"
    ],
    "grant_types": [
        "authorize_code",
        "refresh_token",
        "client_credentials",
        "implicit",
        "authorization_code"
    ],
    "response_types": [
        "code",
        "id_token",
        "token"
    ],
    "scope": "openid,offline",
    "audience": [],
    "owner": "",
    "policy_uri": "",
    "allowed_cors_origins": [],
    "tos_uri": "",
    "client_uri": "",
    "logo_uri": "",
    "contacts": [],
    "client_secret_expires_at": 0,
    "subject_type": "public",
    "jwks": {
        "keys": []
    },
    "token_endpoint_auth_method": "none",
    "request_object_signing_alg": "RS256",
    "userinfo_signed_response_alg": "none",
    "created_at": "2019-09-10T05:33:18Z",
    "updated_at": "2019-09-10T05:33:18Z"
}

]

#4

Your scope should be “openid offline” and not “openid,offline”