INDIGO IAM "scim:read" scope not included in max/all scope

[at88mph]

I'm running the latest 1.8.3 INDIGO IAM server. The scim:read scope was added to protect read access to the SCIM API user information, but it must be added by an administrator. The admin has allowed the scope to be a default to all clients, and has allowed it to be added to dynamically registered clients.

Using:

$ oidc-gen --iss https://myiam.com --scope-max --flow device my-client-max

Shows that the scim:read scope is absent, and similarly with --scope-all. If I specify all of the scopes that I would expect max to include:

$ oidc-gen --iss https://myiam.com --scope "openid profile address email offline_access entitlements phone scim:read" --flow device my-client-max

Then the scim:read scope appears as expected. Is this intended, or an issue with oidc-agent or with the IAM service? I'm trying to pinpoint where this goes. I have tried with both oidc-agent 5.0.1 and 5.1.0.

[zachmann]

With --scope-max. --scope-all and --scope=max you indicate you want to use all scopes. Then the agent uses all scopes it knows about. It learns which scopes are support by an OP from the /.well-known/openid-configuration endpoint. I would assume that the scim:read scope is not listed there under scopes_supported. Therefore, the agent doesn't know about it. Could you check that?

[at88mph]

Thank you! I will do that.

[at88mph]

Confirmed, it's not listed in the scopes_supported output. Thank you for the confirmation, @zachmann .

[at88mph]

Issue lies with the INDIGO IAM service. Closing this issue.