I’m using OAuth2 to authenticate users within my website and app by using /authorize with response type “code” to get a single use code, then /token with the code to get an access token. I then want to be able to pass the access token into /userinfo to get information such as their name and email that the reference here says I should be able to do: https://developer.okta.com/docs/reference/api/oidc/#userinfo
However, I’m currently only getting the “sub” value and nothing else, because the only scope included with the access token is openid, but I don’t seem to be able to include profile at all. If I include it in the initial /authorize request, I’m sent straight to my redirect_uri with the following: error=invalid_scope&error_description=Custom+scopes+are+not+allowed+for+this+request.
If I include the key scope with value profile in my /token request, it is seemingly ignored and I’m still given an access_token back but only with the openid scope again.
What am I missing?
EDIT: I was comma separating the scopes instead of space separating them. Oof.