24+ endpoints return 403 insufficient_scope despite valid OAuth token #75
Description
Summary
After completing OAuth2 authorization via Hydra (prelive-oauth2.quran.foundation), 24+ endpoints return 403 Forbidden with insufficient_scope, while other endpoints on the same services work fine with the same token.
Observed behavior
Response: 403 Forbidden
{
"message": "The access token does not have the required scopes",
"type": "insufficient_scope",
"success": false
}Affected endpoints
/auth/v1 service — Goals, Activity, Streaks
| Method | Endpoint | Operation |
|---|---|---|
POST |
/auth/v1/goals |
Create goal |
PUT |
/auth/v1/goals/:id |
Update goal |
DELETE |
/auth/v1/goals/:id |
Delete goal |
GET |
/auth/v1/goals/get-todays-plan |
Get today's plan |
GET |
/auth/v1/goals/estimate |
Estimate goal timeline |
GET |
/auth/v1/activity-days |
Get activity days |
POST |
/auth/v1/activity-days |
Log activity day |
GET |
/auth/v1/activity-days/estimate-reading-time |
Estimate reading time |
GET |
/auth/v1/streaks |
Get streaks |
GET |
/auth/v1/streaks/current-streak-days |
Get current streak |
/quran-reflect/v1 service — Posts, Rooms, Tags
| Method | Endpoint | Operation |
|---|---|---|
GET |
/quran-reflect/v1/posts/feed |
Get posts feed |
GET |
/quran-reflect/v1/posts/by-verse/:verse_key |
Get posts by verse |
POST |
/quran-reflect/v1/posts |
Create post |
GET |
/quran-reflect/v1/posts/:id |
Get post |
GET |
/quran-reflect/v1/posts/my-posts |
Get my posts |
GET |
/quran-reflect/v1/posts/user-posts/:user_id |
Get user's posts |
POST |
/quran-reflect/v1/posts/:id/toggle-like |
Toggle like post |
GET |
/quran-reflect/v1/posts/:id/all-comments |
Get all post comments |
GET |
/quran-reflect/v1/rooms/search |
Search rooms |
GET |
/quran-reflect/v1/rooms/:id |
Get room by ID |
POST |
/quran-reflect/v1/rooms/groups |
Create group |
GET |
/quran-reflect/v1/rooms/joined-rooms |
Get joined rooms |
GET |
/quran-reflect/v1/tags |
Search tags |
POST |
/quran-reflect/v1/users/featured/follow-all |
Follow all featured users |
Working endpoints (same token, same session)
These endpoints return 200 OK with the same access token:
GET /quran-reflect/v1/users/profile✓PUT /quran-reflect/v1/users/profile✓PATCH /quran-reflect/v1/users/profile✓GET /quran-reflect/v1/users/:id✓GET /quran-reflect/v1/users/search✓GET /quran-reflect/v1/users/:id/followers✓GET /quran-reflect/v1/users/:id/following✓GET /quran-reflect/v1/users/:id/rooms✓ (via/quran-reflect/v1/users/my-rooms)GET /auth/v1/bookmarks✓GET /auth/v1/notes✓GET /auth/v1/collections✓GET /auth/v1/preferences✓POST /auth/v1/preferences✓GET /auth/v1/reading-sessions✓POST /auth/v1/reading-sessions✓
Context
The OAuth client is registered on Hydra with parent scopes (e.g., user). It appears the failing endpoints require child scopes (e.g., user.goals.read, user.posts.read) that are not registered on the client. The working endpoints likely fall under scopes already granted.
This suggests the Hydra client configuration needs to include the full set of child scopes, or the API should accept parent scopes as encompassing their children.
Tested against: https://apis-prelive.quran.foundation
OAuth provider: https://prelive-oauth2.quran.foundation