OAuth2 scope delimiter in URLs


I am tinkering around oauth2 flow to have per user access to Jira Cloud. From what I read here - https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/ - scopes in authorization url must be delimited by space (%20).

However when I define an app in a developer console authorization url is generated with comma (%3A) delimited scopes.

And in my tests it works well with a comma and not with a space. In RFC 6749 the OAuth 2.0 authorisation framework defines the scope syntax as simple opaque space-delimited strings.

Does this mean that Atlassian Cloud oauth2 access is against RFC in this context? Should I use make my framework of choice to use comma delimited scopes in URL?



Hi @piotr.bojko,

I think you’re referring to the generated URL in the Authorization page in https://developer.atlassian.com/.

%3A is : (colon) not comma. So in my Confluence example I have scope=read%3Aconfluence-content.summary%20read%3Aconfluence-space.summary which using a URL decoder is scope=read:confluence-content.summary read:confluence-space.summary.

I set up an example using Spring Boot with OAuth2 in Spring Security and the scopes are defined as

scope: offline_access, read:me, read:confluence-content.summary, read:confluence-space.summary

and Spring will covert this to the correct URL with a single space (%20) between scopes.

Can you check when you run your app and it builds the URL and sends you to https://auth.atlassian.com/authorize, what does the scope section look like?


1 Like


I have just one scope “read:jira-user” not two scopes “read jira-user”.

I have totally misfired my deduction!


1 Like