Hi @Dan Kelly,
Thank you for contacting Q&A Forum. I would like to provide my findings and proposed solution:
- When you define a custom API, you need to specify the specific api path so that Entra ID could recognize the source of it.
In the address being called, "&scope=custom.read" is not a valid api as Entra ID would consider it as a scope under Microsoft Graph by default. You need to input the whole name as "&scope=api://<clientID>custom.read"
- In access tokens, the "nonce" claim in the header is a random value emitted by Entra ID and it's not defined in the developer coding. Thus you don't need to match it to the values from your own side.
Kindly let me know if this work for you and please let me know if you have any further questions.
If I have answered your question, please accept this answer as a token of appreciation and don't forget to give a thumbs up for "Was it helpful"!
Best regards,
Eric