We are using new version 2.0 endpoint and it needs to be applied only on the API resource application.
It is important to mention that AAD Application Permissions allow a broad access to tenant-wide resources, so authenticated clients requesting authorization for any available resource in the same tenant will still receive a valid JWT with [aud] claim value of that respective resource.
This means we can’t rely on [aud] claims when enforcing access control; instead we will rely on the Scope claims issued by AAD according to the explicitly granted application permissions to clients.
We have to use Scope based API permissions, but it is not showing in the SCOPE CLAIM in the JSON web token( decoded ). But if you go with the Role based Permission you can see Roles Claim details. Below is the latest update from Microsoft , AppRoles is currently under preview and which is stopping us to go with this route.
UPDATE: November 2020
[appRoles] Azure AD application attribute is now available (in preview) in the portal UI, so alternatively you could change and view the application roles through Azure portal UI settings.
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized API Call">
<openid-config url="https://login.microsoftonline.com{TenantID}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>{WeatherAPIApplicationID}</audience>
</audiences>
<required-claims>
<claim name="roles">
<value>Weather.ReadAll</value>
</claim>
</required-claims>
</validate-jwt>
Is there any way to get the API Permission Scope Claim in JSON web token using the client credential workflow ?