Only select scopes work with client credentials flow

[Fyko]

Description
When following the client credential flow, only select scopes are permitted for use (identify and applications.commands.update). If another scope -- such as email is specified, an error is thrown. Is this expected behavior?

The documentation states:

You can specify scopes with the scope parameter, which is a list of OAuth2 scopes separated by spaces

Steps to Reproduce

1. Copy the following code snippet

var id = "";
var secret = "";

var headers = new Headers();
headers.append("Content-Type", "application/x-www-form-urlencoded");

var body = new URLSearchParams();
body.append("grant_type", "client_credentials");
body.append("scope", "identify email");
body.append("client_id", id);
body.append("client_secret", secret);

var requestOptions = {
  method: 'POST',
  headers,
  body,
  redirect: 'follow'
};

fetch("https://discord.com/api/oauth2/token", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

2. Edit the id and secret values to a client id and client secret respectively
3. Run the code sample in the Developer Tools console
4. Observe

Expected Behavior
A (bearer) token is returned with access to the authorized user's email.

Current Behavior
The following error is thrown:

{
   "error":"invalid_scope",
   "error_description":"The requested scope is invalid, unknown, or malformed."
}

[muddyfish]

Working for me

[advaith1]

🤔 I also tested this and it only worked for identify and/or applications.commands/update

I can reproduce this. I am also not able to use guilds scope.

[muddyfish]

My curl is curl "https://discordapp.com/api/oauth2/token" -H "Content-Type: application/x-www-form-urlencoded" --data 'client_id=...&client_secret=...&grant_type=client_credentials&scope=identify email' and I get
{"access_token": "...", "expires_in": 604800, "scope": "identify email", "token_type": "Bearer"}

It works and gives me my email address when I use it

[advaith1]

that doesn't follow the docs? it says to send the id and secret as basic auth, not in the data

@muddyfish I tried copy pasting your curl and it's still not working

hackintosh:~ spiral$ curl "https://discordapp.com/api/oauth2/token" -H "Content-Type: application/x-www-form-urlencoded" --data "client_id=$client_id&client_secret=$client_secret&grant_type=client_credentials&scope=identify email"
{"error": "invalid_scope", "error_description": "The requested scope is invalid, unknown, or malformed."}
hackintosh:~ spiral$
hackintosh:~ spiral$ curl "https://discordapp.com/api/oauth2/token" -H "Content-Type: application/x-www-form-urlencoded" --data "client_id=$client_id&client_secret=$client_secret&grant_type=client_credentials&scope=identify"
{"access_token": "redacted", "expires_in": 604800, "scope": "identify", "token_type": "Bearer"}

[muddyfish]

It does? The Python example for oauth looks like this:

API_ENDPOINT = 'https://discord.com/api/v6'
CLIENT_ID = '332269999912132097'
CLIENT_SECRET = '937it3ow87i4ery69876wqire'
REDIRECT_URI = 'https://nicememe.website'

def exchange_code(code):
  data = {
    'client_id': CLIENT_ID,
    'client_secret': CLIENT_SECRET,
    'grant_type': 'authorization_code',
    'code': code,
    'redirect_uri': REDIRECT_URI,
    'scope': 'identify email connections'
  }
  headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
  }
  r = requests.post('%s/oauth2/token' % API_ENDPOINT, data=data, headers=headers)
  r.raise_for_status()
  return r.json()

Oh, I see. I can get the scopes successfully on an application owned by me, but not one in a team (where I am the owner). @Fyko does this apply to you?

[muddyfish]

Oh yeah, teams behave differently as it's effectively working on the team user itself, and those other scopes don't make sense for teams

[Fyko]

It does? The Python example for oauth looks like this:

API_ENDPOINT = 'https://discord.com/api/v6'
CLIENT_ID = '332269999912132097'
CLIENT_SECRET = '937it3ow87i4ery69876wqire'
REDIRECT_URI = 'https://nicememe.website'

def exchange_code(code):
  data = {
    'client_id': CLIENT_ID,
    'client_secret': CLIENT_SECRET,
    'grant_type': 'authorization_code',
    'code': code,
    'redirect_uri': REDIRECT_URI,
    'scope': 'identify email connections'
  }
  headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
  }
  r = requests.post('%s/oauth2/token' % API_ENDPOINT, data=data, headers=headers)
  r.raise_for_status()
  return r.json()

@muddyfish authorization_code != client_credentials

[muddyfish]

It doesn't make all that much difference; the issue is caused by using a bot on a team

[Fyko]

After further investigation, the error only occurrs when the application in question is owned by a team. When using the credentials of an application owned by the user directly, the error subsides.