Azure AD spoke throwing error "Client credential flows must have a scope value with /.default suffixed to the resource identifier".


Description

Getting error "The provided value for scope openid is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI)." when trying to configure the OAuth credentials for Azure AD spoke.

Release or Environment

All

Cause

OAuth flow failed. Verify the configurations and try again. Error detail:invalid_scope, AADSTS1002012: The provided value for scope openid is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).

Resolution

Please change the OAuth Entity scopes (https://<instance-name>.service-now.com/nav_to.do?uri=oauth_entity.do?sys_id=c7558fb9cb111200d6f21494634c9ca2%26sysparm_view=oauth_provider) to have an entry with Name 'Default' and OAuth Scope '.default' (no quotes). This seems to be what Azure AD requires when using "Client Credentials".


The Azure AD default_profile (https://<instance-name>.service-now.com/nav_to.do?uri=oauth_entity_profile.do?sys_id=d8368fb9cb111200d6f21494634c9ca6%26sysparm_view=oauth_provider) needed to be mapped to have OAuth Entity scope 'Default' with scope '.default'

Additional Information

Set up Microsoft Azure AD spoke:

https://docs.servicenow.com/bundle/rome-servicenow-platform/page/administer/integrationhub-store-spokes/task/set-up-azure.html#set-up-azure