Error AADSTS90014: The required field 'scope' is missing from the credential when Authenticating with OAuth against a Microsoft API


Description

This KB talks about an exception "AADSTS90014: The required field 'scope' is missing from the credential" which can sometimes be seen when trying to use OAuth to authenticate from a ServiceNow instance to a Microsoft API. This can be the case when the instance is setup to perform a REST outbound call to a Microsoft API, another example is when using the Microsoft Azure AD Spoke.

An example of the full error message:

OAuth flow failed. Verify the configurations and try again. Error detail:invalid_request, AADSTS90014: The required field 'scope' is missing from the credential. Ensure that you have all the necessary parameters for the login request. Trace ID: ae29cedf-b4c1-46g4-9eghy-948610362001 Correlation ID: c254e96d-0dc5-4b23-idq6-de67229703e5 Timestamp: 2021-10-10 10:46:12Z, https://login.microsoftonline.com/error?code=90014

 

Cause

In this scenario , OAuth application registry entry is defined with the respective grant type based on the third party configurations along with scope and profile information. Client credentials is used as grant type

Setup OAuth

An outbound REST call, or the Azure AD Spoke, is configured with the above OAuth profile as the Basic Authentication in the REST request. When tried to click on "Get OAuth token" button on the outbound REST message record , below exception is observed from third party in the response

"AADSTS90014: The required field 'scope' is missing from the credential"

Resolution

Issue is with the scope field value not mapped to the profile record in oauth_entity_profile table. Open the https://INSTANCENAME.service-now.com/oauth_entity_profile_list.do list view, then open the OAuth Entity Profile that is used by the relevant oauth_entity record (the one you're using to authenticate with). On the oauth_entity_profile form click to insert a new row under 'OAuth Entity Profile Scopes' and insert a record with Name Default and OAuth scope .default:

 

After mapping the scope to the respective profile record on this table from OAuth application registry, the token is successfully received from third party using the "Get OAuth token" button on the outbound REST record, or on the IntegrationHub->Credentials record in the case of the Azure AD Spoke