I have a question regarding the SCP claim after using Azure to register an API that I've developed. I've followed various tutorials and sample applications. Everything validates correctly and I'm able to call a API Method from a trusted subsystem using primarily this tutorial: https://github.com/AzureADSamples/WebApp-WebAPI-OAuth2-AppIdentity-DotNet

The problem that I'm having is when I try to validate the SCP claim:

Claim scopeClaim = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/scope");

The scopeClaim value is always null. I do see over claims within the ClaimsPrincipal.Current object but not the Scope. My understanding is that if I download the manifest and upload it with the application permission included it will be available within the API to verify if the calling application has the correct Scope. Below is my application manifest (appPermissions only):

"appPermissions": [
    {
      "claimValue": "access.fullaccess",
      "description": "Allow the application full access to the service on behalf of the signed-in user",
      "directAccessGrantTypes": [],
      "displayName": "Have full access to the service",
      "impersonationAccessGrantTypes": [
        {
          "impersonated": "User",
          "impersonator": "Application"
        }
      ],
      "isDisabled": false,
      "origin": "Application",
      "permissionId": "52966341-1bb5-4e9f-b4f6-46aad4d03b33",
      "resourceScopeType": "Personal",
      "userConsentDescription": "Allow the application full access to the service on your behalf",
      "userConsentDisplayName": "Have full access to the service"
    }
  ]

Thank you in advance...Paul

So upon further playing around and creating multiple appPermissions for the API and allowing the client Web Application to choose multiple "Scopes" the JWT returned does not contain any of the Scope Claims. Is there something that I'm missing or not doing correctly? Any help would be very appreciated.

The claims you get back in the JWT Token depends on the OAuth flow you are using, and on the permissions you have defined.

When using Azure AD to implement OAuth, you will always need (at least) two applications registered with Azure AD: One API Provider, and one or more API Consumers. Depending on which Flow you are implementing, you will also need Users to go with that.

Let's pick the simplest case first: The Client Credentials Flow. In the CC Flow, you don't have any users involved, and the only permissions which are important are the Application Permissions. Now, and this is a little tricky, those aren't reflected in the JWT Token as scp claims, but rather as a roles containing the appRoles (see documentation) of the Consumer Application. These "App Roles" need to be defined, just like the appPermissions, in the manifest of the API providing application.

Only if you use a Flow which also contains a User, like the Authorization Code Grant or the Resource Owner Password Grant, you will see the scp claims in your token, if you have defined the corresponding permissions using the AD interface.

Hope that helps.