AccessDenied, Either scp or roles claim need to be present in the token

Question

Using this URI I am trying to generate access tokens

https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token

and the access tokens were successfully generated.

And I am passing client_id,client_secret,grant_type and scope.

When I tried to check https://jwt.io/#encoded-jwt I found that its an Invalid signature.

When I am trying to access this site by performing the following call

https://graph.microsoft.com/beta/sites/<tenant_id>/lists

using those access tokens I am getting the following error: "AccessDenied, Either scp or roles claim need to be present in the token."

{
    "error": {
        "code": "AccessDenied",
        "message": "Either scp or roles claim need to be present in the 
                    token.",
        "innerError": {
            "request-id": " ",
            "date": " "
        }
    }
}

In order to access the site and get the list in the format of application/json please suggest what should be included to get roles claim in the token?

grant_type- client_credentials , scope- graph.microsoft.com/.default — Divyashree R
Then do you config the scope/permission in app register page ? — Nan Yu
yes, I have configured permissions as Delegated Permissions - User.Read , Application Permissions - Sites.Read.All — Divyashree R

Tony Ju Tony Ju · Accepted Answer · 2019-04-23T00:53:45

After configuring permissions, you need to click grant admin consent button.

You can check if the token has the permission by decoding the access token.

When I tried to check https://jwt.io/#encoded-jwt I found that its an Invalid signature.

You can change the ALGORITHM to HS256 to resolve this issue.

AccessDenied, Either scp or roles claim need to be present in the token

1 Answers