Passing multiple scope values to Oauth token endpoint

Question

I am trying to authenticate to https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token where tenantId is coming from Azure AD.

It works fine as long as I pass only one scope in the following format

api://{{clientId}}/.default

If I pass multiple values to the scope paramter, it fails with error AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid.

I've tried separating the values with a space, a comma and a plus sign. But it never works; If I pass any value individually they all work but I want multiple audiences in my access token, so how can I do that ?

EDIT

extra parameters passed :

grant_type : client_credentials

client_id

client_secret

scope

Answer 1

Since, The access token only contains permissions to one API, A token is generated for a specific audience i.e., we can only specify scopes for one API.

Also, OAuth flow is client credential flow here, which means that we cannot dynamically request scopes and can request only .default scope for particular resource.

According to MS Docs,

The value passed for the scope parameter in this request should be the resource identifier (Application ID URI) of the resource you want, affixed with the .default suffix. For Microsoft Graph, the value is https://graph.microsoft.com/.default. This value informs the Microsoft identity platform endpoint that of all the application permissions you have configured for your app, it should issue a token for the ones associated with the resource you want to use.