Token is generating with all the available scopes in AzureAD

I have below setup on Azure,

  1. Host APP
    • Added 3 Scopes under "Expose an API" tab i.e. abc, def, ghi
  2. Client APP
    • Added all 3 Scopes under "API Permissions" tab

Now if I request the token from Postman for Client APP with specific scope(s) and I decode the token over JWT.IO then I all 3 scopes available in "scp" claim.

POSTMAN Setup for OAuth 2.0,

enter image description here

My expectation here is to implement scope based authorization where If I request the token for abc scope then only ABC should present in token.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum