Get valid Access Token for custom scope from MS Entra for use as Bearer Token

Question

Get valid Access Token for custom scope from MS Entra for use as Bearer Token

Dan Kelly 0

I'm having problems with retrieving an Access Token from Microsoft Entra for use with a Web API

Our basic scenario is a follows. We are developing a Nuxt.js front-end application which needs to communicate with an existing Hapi.js backend. The Nuxt frontend needs to attach a Bearer Token to requests so that the API server can authenticate calls using JWT/JWKS

I have set up a new Application Registration in Microsoft Entra and registered it with the Nuxt application using next-auth-utils and this is initially successful, with both a User and Access Token being returned once the Microsoft pop-up has been completed. However checking the Access Token against jwt.io the token has an Invalid Signature as well as a nonce entry.

Following some further investigation I have created a custom scope under Expose an api as *api://

2 answers

Your answer

Answer 1

Eric Nguyen 1,025 Independent Advisor

Hi @Dan Kelly,

Thank you for contacting Q&A Forum. I would like to provide my findings and proposed solution:

When you define a custom API, you need to specify the specific api path so that Entra ID could recognize the source of it.

In the address being called, "&scope=custom.read" is not a valid api as Entra ID would consider it as a scope under Microsoft Graph by default. You need to input the whole name as "&scope=api://<clientID>custom.read"

In access tokens, the "nonce" claim in the header is a random value emitted by Entra ID and it's not defined in the developer coding. Thus you don't need to match it to the values from your own side.

Kindly let me know if this work for you and please let me know if you have any further questions.

If I have answered your question, please accept this answer as a token of appreciation and don't forget to give a thumbs up for "Was it helpful"!

Best regards,
Eric

Dan Kelly 0 Reputation points

2025-06-19T09:44:37.01+00:00

Changing the scope definition in the Nuxt application to include the client id (i.e. the api://..../custom.read value from Api Permissions > custom.read results in a 401 error after the pop up appears.

As the URL being requested in the original question contained both the TenatID and ClientID already I wouldn't have thought that I would need to include the ClientID again in the scope

I realise that the nonce doesn';t need to match anything on my side. It just seems to be an indicator that the returned token is not what I need to use as a Bearer
Dan Kelly 0 Reputation points

2025-06-19T11:04:58.2233333+00:00

Pasting the URL above (with scope=custom.read) into Chrome gets me the error:"AADSTS650053: The application Nuxt JS test application" asked for scope "custom.read" that doesn"t exist on the resource "00000003-0000-0000-c000-000000000000". Contact the app vendor. "Which is the ID for Microsoft Graph. Which corrolates.

Changing the scope, as suggested, to "scope=<CLIENT_ID>/custom.read" we get a redirect to the defined Redirect URL with a code=... in the url. This should then be being used by Nuxt to get a token from MS. So progress.

However changing the scope in nuxt-auth-utils config I get a 401 error from graph.microsoft.com Looks like I need to do some tracing on what Nuxt Auth Utils are doing...

Answer 2

Dan Kelly 0

OK. Looks like it's confirmed that nuxt-auth-utils is authenticating against Graph.microsoft and I'll need to wire it up to MSAL in some way.

More information here

Share via

Get valid Access Token for custom scope from MS Entra for use as Bearer Token

2 answers

Your answer