Oauth2 -Error - Unknown/invalid scope(s)

Hi @hwilliams refering to this post: Error of the Callback of third party Oauth I am getting still the error:

The solution is suggest in: Error of the Callback of third party Oauth - #18 by EdgarCap

Why the suggestion was not implemented ?
Also, I changed manualy the procedure in the DB but no effect (also restarting Virtuoso), I must reload the Package or there is a more simple way to doit ?


What is the Virtuoso and VAL VAD version being used, as you confirmed it was working in the Error of the Callback of third party Oauth - #18 by EdgarCap post with the val_dav.vad.zip (747.7 KB) package @cblakeley provided with a fix, which should also be in our latest available VAL VADs ?

Hi @hwilliams,

no, this code is not present in :

      -- scope request parameter is not required for authorization code grant
      -- if (not isnull (scope))
      --   params := params || sprintf ('&scope=%U', scope);

In the PROCEDURE: VAL.DBA.oauth_token

Also I am getting strange, random, errors trying to uninstall VAL, like:

I must better investigate.

Hi @hwilliams,

the error was caused because in someway package was delete, but still in the list of present package:

Any ideas to solve this issue ?

Based on your screenshot you are running a Virtuoso 08.02.3309 build from Oct 2018 ( and associated VAL VAD 2.2.2_git161 version), which is very old and there have been a number of VAL and other related fixes in the latest Virtuoso 08.03.3329 Release Sept 2023 build you would most probably benefit from and would recommend upgrading to.

Hi @hwilliams,

trying to use Oauth on Virtuoso 8.3 I have this issue:

    Identity Provider Binding Not Verified!
    Error: Failed to connect to service "Auth"






  { "status": "error", "httpcode": "500", "code": "other_error", "message": "No data found or unspecified message" }

What are you actually attempting to do, setup a third party IdP to VAL using OAuth, and if so which IdP is it and what steps are being performed/followed ?

I assume base on the first message is is when attempting to verify the binding it is failing ?

Also, I assume you have setup a new Virtuoso 8.3 instance and had OAuth working to the same IdP with the previous Virtuoso version ?


no, this code is not present in : …

The fix we supplied to you in Oct’22 was integrated into our production VAL VAD shortly afterwards. Below is an extract from the current VAD.

procedure VAL.DBA.oauth_token (
  -- A scope request parameter is not required for authorization code grant.
  -- An OpenAM Authorization Server returns an error if a redundant scope parameter is supplied 
  -- with an access token request and Authorization Code Grant is used.
  -- See: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3

  -- if (not isnull (scope))
  --   params := params || sprintf ('&scope=%U', scope);

Please check your VAL VAD is up to date. If you still get an error when verifying the identity provider binding, we will need more detailed information to isolate the cause.

To get a detailed Virtuoso console trace showing OAuth/OIDC calls, issue this command before verifying the binding:
registry_set ('__debug_oauth2.0', '1');

Afterwards, to turn the OAuth diagnostics off, issue

Please provide us with a Virtuoso console trace and a browser trace showing the network calls.

/cc @hwilliams

HI @cblakeley and @hwilliams ,

I set registry_set (‘__debug_oauth2.0’, ‘1’) but not find elements in the Monitor->Log Viewer there are other actions that I must take to enable the log ?

I find the response in Error of the Callback of third party Oauth - #12 by EdgarCap :wink:

Here the Debug:

  VAL.DBA.oauth_token (1ld, 'oidc', ('xxxxx' 'pass' ))
  DB.DBA.app_reg_verify_error ('http://IP:8890/oauth/verify.vsp?service=Auth%20XXX', ('service' 'Auth XXX' 'url' 'http://IP:8890/oauth/verify.vsp?service=Auth%20XXX' 'scope' 'basic' 'realm' 'http://www.openlinksw.com/ontology/acl#DefaultRealm' 'proc' 'DB.DBA.app_reg_verify_success' 'eproc' 'DB.DBA.app_reg_verify_error' ), 'Auth XXX', '22023', 'Failed to connect to service \"Auth XXX\".')




To see the Virtuoso debug output, you need to start Virtuoso in the foreground using the -f flag.
e.g. virtuoso-t -f

This is the debug I send in the previous topic:

VAL.DBA.oauth_token (1ld, 'oidc', ('xxxxx' 'pass' ))
  DB.DBA.app_reg_verify_error ('http://IP:8890/oauth/verify.vsp?service=Auth%20XXX', ('service' 'Auth XXX' 'url' 'http://IP:8890/oauth/verify.vsp?service=Auth%20XXX' 'scope' 'basic' 'realm' 'http://www.openlinksw.com/ontology/acl#DefaultRealm' 'proc' 'DB.DBA.app_reg_verify_success' 'eproc' 'DB.DBA.app_reg_verify_error' ), 'Auth XXX', '22023', 'Failed to connect to service \"Auth XXX\".')

I think the problem is in:

create procedure DB.DBA.app_reg_verify_success (
  in url varchar,
  in params any,
  in service varchar,
  in serviceId varchar,
  in profileData any,
  in oauthData any,
  in oauthSid varchar)
  if ((registry_get ('__debug_oauth1.0') = '1') or (registry_get ('__debug_oauth2.0') = '1'))
    dbg_obj_princ ('DB.DBA.app_reg_verify_success (', url, params, service, serviceId, ')');
  declare _key, _secret varchar;
  declare exit handler for not found
    return sprintf ('%s&v=no', url);
  update OAUTH.DBA.APP_REG set A_VERIFIED = 1 where A_NAME = service;
  select A_KEY, A_SECRET into _key, _secret from OAUTH.DBA.APP_REG where A_NAME = service;

  return sprintf ('%s&v=yes', url);

In declare exit handler for not found


There’s not enough information in your previous posts for me to understand what’s going wrong. Please provide the traces I’ve asked for.

Using Chrome’s Dev Tools, you can dump the browser trace of the network requests to a .har file using the highlighted menu item in the screenshot below. You can then edit the .har file to remove any confidential information before sending it to us with the Virtuoso console output.

Also, which OAuth service are you trying to bind to?

/cc @hwilliams

Hi @cblakeley,

Service is : Auth XXX

I can’t upload the har file , I will send you via mail.


I guess this is the name you’re using for the OAuth binding you’ve created. I meant what is product name of target OAuth service? Is it a commercial or open source OAuth service?

Hi @cblakeley is commercial ForgeRock IAM


I’ve received the .har file you emailed, thanks. The OAuth callback URL you’ve specified in the OAuth binding looks odd - http://IP:8890/val/api/thirdparty_callback. This should be an https endpoint, not http. Please also provide a Virtuoso console trace.

/cc @hwilliams

Hi @cblakeley and @hwilliams why http://IP:8890/val/api/thirdparty_callback must be in https ? The Openlink Virtuoso is in http !

HTTPS is a requirement for VAL OIDC and OAuth authentication as detailed in the prerequisites section of the documentation.

Hi @hwilliams, @cblakeley

now in https getting same error:


@EdgarCap Have you provided the Virtuoso console trace requested by @cblakeley previously such that we can see the trace of OAuth related calls being made on the server side ?