Looking for some AzureAD help with this error -

"error": "invalid_request", "error_description": "AADSTS50146: This application is required to be configured with an application-specific signing key.\r\nTrace ID: 6fb978c1-0d74-478c-991c-3ad48ca65f00\r\nCorrelation ID: 81c05804-175c-456b-8d45-d5365818b599\r\nTimestamp: 2019-12-17 19:28:29Z",

I get the error above in one AzureAD env. when trying to do a OAuth2.0 token request. I have another test AzureAD where the same request works fine.

Doing a POST to https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with clientId, clientSecret and grant_type=client_credentials.

Found this via google - https://github.com/MicrosoftDocs/azure-docs/issues/5394 but wanted to understand how does one go about configuring the "scope" parameter in AzureAD.

You probably have additional/mapped claims.

If you do not want to bother with creating application-specific signing keys, you need to set "acceptMappedClaims": true in the manifest. Setting "accessTokenAcceptedVersion": 2 can also help.

Make sure to check the manifest of both the client and the target API (resource server/audience).

• When requesting an access token with mapped claims, the acceptMappedClaims of the target API needs to be true.
• When requesting an id token with mapped claims, the acceptMappedClaims of the client needs to be true.

When requesting both, id token and access token (as is common), and both tokens include additional claims, both app registrations need to have acceptMappedClaims set.

Note: as per the documentation, only use acceptMappedClaims on single-tenant apps. For multi-tenant apps, you want to use app-specific signing keys.

I think you need both

"acceptMappedClaims": true,

and

"allowPublicClient": true,

in your app's manifest.

The api permissions in Azure AD portal is the value of scope.

You can also expose an API, then you can add your own scope.