I am trying to authenticate to https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token where tenantId is coming from Azure AD.
It works fine as long as I pass only one scope in the following format
api://{{clientId}}/.default
If I pass multiple values to the scope paramter, it fails with error AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid.
I've tried separating the values with a space, a comma and a plus sign. But it never works; If I pass any value individually they all work but I want multiple audiences in my access token, so how can I do that ?
EDIT
extra parameters passed :
grant_type : client_credentials
client_id
client_secret
scope
Since, The access token only contains permissions to one API, A token is generated for a specific audience i.e., we can only specify scopes for one API.
Also, OAuth flow is client credential flow here, which means that we cannot dynamically request scopes and can request only .default scope for particular resource.
According to MS Docs,
The value passed for the scope parameter in this request should be the resource identifier (Application ID URI) of the resource you want, affixed with the .default suffix. For Microsoft Graph, the value is
https://graph.microsoft.com/.default. This value informs the Microsoft identity platform endpoint that of all the application permissions you have configured for your app, it should issue a token for the ones associated with the resource you want to use.