Hello, stuck with this issue for a while. If it outside support, can you plese at least tell, it is expected behavior, potential issue or my config problems. Thank you in advance. Expected behavior ciba flow initiated, by asking openid and profile scope. Client complete authentication, and access_token is generated by token endpoint. Than token can be used to access claim under openid and profile (or any other requested/allowed by client scopes) scopes in userinfo endpoint. Actual behavior On attempt to get data from userinfo endpoint, by using access_token, insufficient_right error is returned. Example 1.Request to bc auth endpoint: POST /oxauth/restv1/bc-authorize? HTTP/1.1 Host: myhost.com Content-Type: application/x-www-form-urlencoded Authorization: Basic ....4MWU= login_hint=card1&scope=openid profile&acr_values=simple_password_auth&user_code=code&binding_message=binding23334 2.Responce from server: { "auth_req_id": "7048f0f544d6ee7facbafe433d619a07e37c7675a754a74e", "interval": 3, "expires_in": 3600 } 3.Link generated by server to authenticate user (firebase integration script generated URL). Opened manualy via browser. Authentication completed. https://myhost.com/oxauth/restv1/authorize?auth_req_id=7048f0f544d6ee7facbafe433d619a07e37c7675a754a74e&scope=openid+profile&acr_values=simple_password_auth&response_type=id_token&redirect_uri=https%3A%2F%2Fmyhost.com%2Foxauth%2Fciba%2Fhome.htm&state=387aa431-b291-40a3-b02d-8f29b4d21a1a&nonce=eb388513-f126-4df4-8510-85566af44a93&prompt=consent&client_id=ea9dd625-e69e-426d-92c3-172f0e6f3828 4.Polling results (now returns actual result, instead of authentication pending) POST /oxauth/restv1/token? HTTP/1.1 Host: myhost.com Content-Type: application/x-www-form-urlencoded Authorization: Basic .....RkNDgxZQ== scope=openid profile&grant_type=urn:openid:params:grant-type:ciba&auth_req_id=7048f0f544d6ee7facbafe433d619a07e37c7675a754a74e 5.getting response: { "access_token": "ea5f2d13-8ad9-....-a044-d062a4277858", "scope": "openid profile", "id_token": "eyJraWQiO......8kOcRhBXM0cZ0c2-2ylKSbiD_teKQ", "token_type": "bearer", "expires_in": 299 6.try to get data from userinfo endpoint by using acquired access_token. GET /oxauth/restv1/userinfo? HTTP/1.1 Host: myhost.com Content-Type: application/x-www-form-urlencoded Authorization: Bearer ea5f2d13-8ad9-....-a044-d062a4277858 scope=openid profile 7. { "reason": "Both openid and profile scopes are not present.", "error_description": "The request requires higher privileges than provided by the access token.", "error": "insufficient_scope" } openidScopeBackwardCompatibility= true ciba grant allowed for client. both scopes (openid and profile) allowed for client. ciba enabled (all accordin to manual) Questions is there something wrong with my configuraiton? Should CIBA flow return any cliams at all?