I have set up a backend-app, client-app and OAuth server in API Manager pretty much according to example. Currently the OAuth server and both app registrations are set up to use v2 endpoints. Currently the default scope of the OAuth server is set to api://<backend-app client ID>. This is also the value of the audience tag in validate-jwt policy. I have no required-claims in the validate-jwt policy. For each change in config I re-authorize in the test console try-it modal.
It seems like no matter how much I fiddle with the parameters, the aud claim of the token received by the developer portal test console is "aud": "00000003-0000-0000-c000-000000000000",.
What am I doing wrong?
EDIT:
I realized I have to publish changes to the developer portal. I was also wrongly assuming that I needed no scope in the API, since I am developing an API that is to be called by a daemon app only (using app roles). After setting a test scope in the app registrations, granting admin consent, and publishing the developer portal, the token carries the correct aud claim. I still get 401 however, but assume that is a different question.
During my initial attempts I failed to do two things:
The reason for not setting a scope beyond the default scope of the API App reg., was that the API is intended being called by a daemon app only. Unless I misunderstand things further, calling a protected API from the developer test portal requires a delegated permission (scope), because the developer authorizes interactively upon fetching the OAuth token.
NB! Not answering question directly, but I had to remove api:// part of <audience> definition in JWT-validate policy for token to be authorized. Using 2.0 endpoint.