Lane McLaughlin

I've run into this issue as well, repro'd in 2 different projects. What's interesting is it works/doesn't work as follows: - **works**: for access_tokens that are on-behalf-of-the-user via the authorization_code...

Thanks @jmprieur . i had read that msft docs link and i didn't really understand why the daemon app couldn't/wouldn't use the scope the same way and didn't understand what...

Thanks @jmprieur - yes, okta does generate the scope (scp) claim. i don't understand why the call to HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi); works for me but [RequiredScopes(scopeRequiredByApi)] does not. It seems to me...

@jmprieur i'll grab some code and/or screen snippets to share/show ...

here's a snippet of scope check working as expected via the method but not the attribute.  i am using app.UseAuthorization. and in this project i do have 1 policy...

@jmprieur - not exactly .... what i'm showing you above is i've intentionally left out the documents.create scope and i'm showing you how the [RequiredScopes("documents.create")] attribute did NOT block the...