Some Microsoft endpoints do not accept the JWT token produced by MSAL

Question

I have an MSAL app that creates authentication tokens for accessing various Microsoft APIs.

I provide the app specific scopes, and it creates a corresponding authentication token bearing those scopes. This app works perfectly fine for all types of endpoint I tried up

    def _create_or_get_msal_app_client(
        self, client_id: str, tenant_id: str | None = None, is_confidential_client: bool = False
    ) -> msal.ClientApplication:
        """
        Create public or confidential msal app client to generate tokens

        :param client_id: the client id (also known as application id)
        :param tenant_id: the tenant id to use as authority, if not provided will use common authority
        :return: the msal app
        """
        if self._msal_app:
            return self._msal_app

        try:
            authority = tenant_id if tenant_id else "common"
            authority_url = f"https://login.microsoftonline.com/{authority}"

            if is_confidential_client:

                self._msal_app = msal.ConfidentialClientApplication(
                    client_id=[client_id], client_credential=[client_credential], authority=authority_url
                )
            else:
                self._msal_app = msal.PublicClientApplication(client_id=client_id, authority=authority_url)

        return self._msal_app

        msal_app = self._create_or_get_msal_app_client(
            client_id=[client_id], tenant_id=[tenant_id]
        )

        return msal_app.acquire_token_by_username_password(
            username=[username], password=[password], scopes=[some scopes]
        )

The tokens produced if inputted into jwt.io, will be marked as invalid, which is not a bad thing in itself, as noted by this qustion.

My problem is, when I try to call APIs with endpoints of type:

https://admin.powerplatform.microsoft.com/api/*

It almost seems like those kinds of endpoints has a different authorization system than the rest of the endpoints; For once, the token this EP uses in the UI I tool it from have a perfectly valid signature when trying to decode it in JTW.io, as opposed to the token issues by MSAL. But, this means that now I get in the response a 401 response when I try to use the MSAL-issues tokens, and the reason for the failed request, is, according to the response header resp.headers._store['www-authenticate'][1] is:

Bearer error="invalid_token", error_description="The signature is invalid"

This doesn't happen in any other Microsoft API I tried to call; for example in EPs of type https://graph.microsoft.com/v1.0/* the token produced by MSAL works perfectly fine.

The prime suspect in these types of authentication errors is the scopes asked. But no matter what scopes I ask, whether I ask for insufficient or sufficient or no scopes at all, I still get the same error. Except what was suggested here to try to ask for the scope [client_id]/.defualt (where client id is the client id) but when I try to do that I get the error:

Bearer error="invalid_token", error_description="The audience \'[client_id]\' is invalid"

in the response headers.

I have another clue about what might be the problem in this forum, where the one asking the question mentioned that the EP is using OAuth. could it be that this is different from MS Graph in any way?

So my question is, how do I configure my MSAL app to work with https://admin.powerplatform.microsoft.com/api/*? Or alternatively, what EP could I use instead that does work with MSAL, and contains the same functionality as this one?

Note: looking at the headers in the request to get the tokens in the UI, I see they are using msal.js.browser, so this should be possible in theory. (by the way, the requested scope in the UI is [client_id]/.defualt openid profile offline_access) to the EP https://login.microsoftonline.com/common/oauth2/v2.0/token). When trying to decode the UI token in jwt.ms it says that the token is issued by AAD.

Example of a concrete EP I am trying to access: https://admin.powerplatform.microsoft.com/api/Environments/{env_name}/roleassignments/environmentadmin. The API is taken from the Power Platform Admin Center. More info about it here.