The JWT issued by Okta has a claim named “scp”, an array of strings, which is used for scopes . But according to the RFC , the claim should be named as “scope”, a JSON string containing a space-separated list of scopes. Please clarify if I have misunderstood. Any help or suggestion would be highly appreciated.
I think, you might be wrong here. The RFC you mentioned is a specific one for
... defines a protocol for an HTTP- and JSON-based Security Token Service (STS) and not OIDC/OAuth which do not require this claim to be present in the token. OIDC defines a list of standard claims in https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims and OAuth don’t even require access token to be in JWT format
@phi1ipp Thanks for the clarification.