I have a ASP.NET Core 3.1 project like this sample: Sign-in a user with the Microsoft Identity Platform in a WPF Desktop application and call an ASP.NET Core Web API.

I'm using Identity web version 1.0 and Azure AD, single-tenant application.

I've edited the manifest adding appRoles since I'm requesting an application token only, and not a user token:

"appId": "<guid>",
"appRoles": [
        "allowedMemberTypes": [
        "description": "Accesses the application.",
        "displayName": "access_as_application",
        "id": "<unique guid>",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "access_as_application"
"oauth2AllowUrlPathMatching": false,
I've also enabled the idtyp access token claim, to specify that this is an application token.:

"optionalClaims": {
    "idToken": [],
    "accessToken": [
            "name": "idtyp",
            "source": null,
            "essential": false,
            "additionalProperties": []
    "saml2Token": []
The following request is made with Postman. Please notice the use of /.default with the scope, which is mentioned in the documentation in relation to the client credentials grant flow.

POST /{tenant_id}/oauth2/v2.0/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded


The request returns an access_token which can be viewed with and looks like this, where actual data have been replaced by placeholders for security reasons.:

  "typ": "JWT",
  "alg": "RS256",
  "x5t": "[...]",
  "kid": "[...]"
  "aud": "api://<client_id>",
  "iss": "<tenant_id>/",
  "iat": 1601803439,
  "nbf": 1601803439,
  "exp": 1601807339,
  "aio": "[...]==",
  "appid": "<app id>",
  "appidacr": "1",
  "idp": "<tenant_id>/",
  "idtyp": "app",
  "oid": "<guid>",
  "rh": "[..].",
  "roles": [
  "sub": "<guid>",
  "tid": "<guid>",
  "uti": "[...]",
  "ver": "1.0"

I notice that the token above does not include scp. This seem correct as this is an application token and not a user token. Instead it includes `”roles”´ as appropiate for an application token.

The access_token can now be used as bearer in a Postman Get:

GET /api/myapi
Host: https://localhost:5001
Authorization: Bearer {access_token}

The reponse to this request is 500 internal error. I.e. something is wrong. The access_token looks like a corrent application token, so the error seems to be on the ASP.NET Core 3.1 controller side.

The ASP.NET Core 3.1. project hosting the custom API, has a startup.cs which includes the following code:


// This is added for the sole purpose to highlight the origin of the exception.
services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
    var existingOnTokenValidatedHandler = options.Events.OnTokenValidated;
    options.Events.OnTokenValidated = async context =>
        if (context.Principal.Claims.All(x => x.Type != ClaimConstants.Scope)
            && context.Principal.Claims.All(y => y.Type != ClaimConstants.Scp)
            && context.Principal.Claims.All(y => y.Type != ClaimConstants.Roles))
            // This where the exception originates from:
            throw new UnauthorizedAccessException("Neither scope or roles claim was found in the bearer token.");

The appsettings.json for the project includes:

"AzureAD": {
    "Instance": "",
    "Domain": "",
    "ClientId": "<client_id>",
    "TenantId": "<tenant_id>",
    "Audience": "api://<client_id>"

... and the controller looks like this:

public class MyApiController : Controller
    public async Task<string> Get()
        return "Hello world!";

The underlying cause of the 500 internal error is that this exception is thrown: IDW10201: Neither scope or roles claim was found in the bearer token. exception.


This video on "Implementing Authorization in your Applications with Microsoft identity platform - june 2020" suggests that the missing piece is this flag JwtSecurityTokenHandler.DefaultMapInboundClaims = false; which need to be set in startup.cs - e.g:

public void ConfigureServices(IServiceCollection services)
    // By default, the claims mapping will map clain names in the old format to accommodate older SAML applications.
    //'' instead of 'roles'
    // This flag ensures that the ClaimsIdentity claims collection will be build from the claims in the token
    JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
    [...more code...]


The video "Implementing Authorization in your Applications with Microsoft identity platform - june 2020" outlines that the missing piece is this flag JwtSecurityTokenHandler.DefaultMapInboundClaims = false; which need to be set in startup.cs - e.g:

public void ConfigureServices(IServiceCollection services)

    // By default, the claims mapping will map claim names in the old format to accommodate older SAML applications.
    //'' instead of 'roles'
    // This flag ensures that the ClaimsIdentity claims collection will be build from the claims in the token
    JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

    // Notice that this part is different in the video, 
    // however in this context the following seems to be 
    // the correct way of setting the RoleClaimType:
    services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
        // The claim in the Jwt token where App roles are available.
        options.TokenValidationParameters.RoleClaimType = "roles";

    [... more code ...]

Alternative 1

It is also possible to set authorization for the whole app like this in startup.cs:

services.AddControllers(options =>
    var policy = new AuthorizationPolicyBuilder()
        .RequireClaim("roles", "access_as_application")
    options.Filters.Add(new AuthorizeFilter(policy));

Alternative 2

It is also possible to use a policy like this:

services.AddAuthorization(config =>
    config.AddPolicy("Role", policy => 
        policy.RequireClaim("roles", "access_as_application"));

Now this policy can be used on a controller request like this:

[Authorize(Policy = "Role")]
public async Task<string> Get()
    return "Hello world!";

More in the documentation: Policy based role checks.


The reason is that your are making request with default scope scope=api%3A%2F%2{client_id}%2F.default which doesn't include scope claim in the access_token you should use specific scope that you are registered for your ASP.NET Core 3.1 API project when you have exposing that API in the Azure Portal.


Just add DefaultMapInboundClaims to your API service config

public void ConfigureServices(IServiceCollection services)
    JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

When I received this error, "IDW10202", it was because of this line of code in the Controller.


This might help if you are planning on not using build in scopes or roles. You can enable "access-control list" authentication using my example for Azure B2C below. Here are some links to the official documentation.

Add the following to your AD configuartion: "AllowWebApiToBeAuthorizedByACL": true


"AzureAdB2C": {
    "Instance": "",
    "ClientId": "xxxx",
    "Domain": "",
    "SignUpSignInPolicyId": "xxx",
    "AllowWebApiToBeAuthorizedByACL": true

For what ACL/Access-control list means: ACL: