scp claim missing from code flow token, but works in postman
I am creating 2 applications, the client is a blazor server application, I have the app registration authenticating with Azure AD, I get back a token but it does not contain any scopes. It does have the app Roles configured in the app registration though. However I have configured Postman correctly, I can get a full bearer token using OAuth2 That has the scopes. I have tried everything I can think of to get the scp claim, but I do not know what I am missing.
In the Client I am using just using the app registration to signin-oidc as the callback
Claims in the client application:
Startup.cs for the client:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["AzureAd:Scopes"] })
.AddInMemoryTokenCaches();
Scopes element in appsettings:
"Scopes": "api://{Identifier}`/Recruiter.Read api://{Identitfier}/Test.Read"
API startup.cs
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.TokenValidationParameters.RoleClaimType = "roles";
options.TokenValidationParameters.NameClaimType = "name";
});
In postman I am making a call to: https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/authorize
The token return URL is: https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/token
Claims in Postman:
I could really use some help, I have tried everything I can think of except the right way... clearly.