I have registered a multi-tenant app in Azure Active directory, I am using all oauth v2.0 endpoint in IBM Websphere OIDC TAI configuration. But still I am getting the accesss_token of v1.0, which has obviously a different issuer and hence it is failing in JWT validation while matching the issuer identifier. I am expecting this,
"iss": "https://login.microsoftonline.com/my-tenant-id/v2.0"
But I am getting this,
"iss": "https://sts.windows.net/my-tenant-id/",
I am using Microsoft Graph APIs.
If you need to get an access token that can be validated in the standard way you need to 'expose an API scope' so that you get a verifiable token, as AllenWu says.
Azure AD behaviour is a little unintuitive and my Visual Blog Post should enable you to work out what you need to do.
See steps 3, 6 and 7.