The request flow for my setup is that first, the requests go to AWS ALB, then authentication will be done by Entra at ALB level and then if auth is successful, then the request with tokens set as headers will be forwarded to my backend application. So, I created an app in entra and configured AWS ALB with the endpoints I got from Entra. Scopes were set to"openid profile email" in ALB. Now, authentication is getting done but the problem is that Entra is issuing v1.0 tokens and also adding a new field called nonce in the header of the token due to which JWT verification is failing, in my backend application.
So, to avoid this issue, I changed "requestedAccessTokenVersion" field to 2 in manifest.api section in Entra app configs/settings to force Entra to issue v2.0 tokens and also created a custom api and exposed it. Also, changed the scopes in AWS ALB to openid api://<app-uri>/<scope-name> to force ALB to use this custom API which I created in Entra instead of default microsoft graph API scopes. Then, valid v2.0 tokens were generated properly without nonce field and I was able to verify the JWT token but the issue is that the userinfo endpoint (in my case https://graph.microsoft.com/oidc/userinfo) requires the aud field value in the token to be set to microsoft graph's default app-id instead of the client/app id we created in Entra because of which authentication is failing with 561 status code.
In short, to verify JWT token, I dont want that nonce extra field in the token and preferably v2.0 tokens instead of v1.0, If I add a custom scope, then the token will have the aud set to the app-id instead of default ms graph app-id which is breaking userinfo endpoint. I cannot add both MS OAuth scopes and custom API scopes and I can't remove any of them as I need openid for authentication and my custom scope for a valid v2.0 token. How can we resolve this issue?
Any suggestions/help would be highly appreciated. Thanks!!