Reputation: 3336
scp claim in Azure AD Acess Token
I'm developing a communication flow through Azure AD with OAuth2. So, I'm testing two flows:
- Credentials Flow
- Authorization Code Flow
Everything works fine, except one thing: The Scope/permission (scp) in the Access Token.
When I request an Access Token with the Authorization Code Flow I have a lot of claims and one very important for my business: the scp. This claim has all scopes configured in the Azure portal.
But when I use the Client Credentials Flow this "scp" claim does not return and I can't check if this Access token generated can access an Endpoint in my resource server.
Any idea how to solve this?
Upvotes: 2
Views: 7456
Answers (2)
Reputation: 149
the answer to this question explains quite well why it's not working.
Since there is no redirection (there's not user involved) scp claims are not returned. the solution to your problem is to use application roles.
When you get the OAuth2 token using the client_credentials flow, make sure you are passing the resource parameter and populate it with the appId of the application where you added the roles to the manifest.
Upvotes: 1
Reputation: 153
Have a look at these two links . Looks like you are correct in the client credential flow scp claims are not visible
Getting the access token for Microsoft Graph API
https://joonasw.net/view/defining-permissions-and-roles-in-aad
Upvotes: 0
Related Questions
- Graph API: Either scp or roles claim need to be present in the token
- OAuth 2.0 and Azure Active Directory - error AADSTS90009
- Access token not containing SCP (roles) claims via Microsoft Graph
- How can I use Azure AD to authenticate for Azure .net API calls?
- Scope "scp" missing when Requesting a token in Azure AD B2C
- Azure Active Directory - Get Authorization for Access Token
- Azure AD Access token in not found Scope (scp)
- Azure AD manifest - optionalClaims
- Azure Active Directory OAuth 2.0 Authorization gives Bad Request
- Validate OAuth 2 Access Token for Login