I have been playing a lot lately with Azure AD B2C, trying to look at replacing Auth0 with Azure AD B2C.
Auth0 is definitely the easier of the two to implement, for now.
Anyway, I have been using Postman to authenticate to Azure AD B2C when I began struggling with how to pass multiple scopes.
Based on a couple articles I read, I passed the scopes separated by a space. Tried this, then inspected the token in https://jwt.io, and noticed my scopes were missing.
I found this article https://saraford.net/2017/11/10/testing-a-secured-web-api-using-postman and took a deeper look at how Azure was creating the endpoint.
I noticed that for each scope the full scope value was passed, e.g. https://<tenant>.onmicrosoft.com/<app>/<scope>. So I made that change to my Postman request and requested a new token.
I then inspected the token in https://jwt.io, and noticed ALL my request scopes were present.
Hopefully this saves someone a face plant or two, or three. 😊
For those working with Azure AD B2C, here are some links to some great articles that have helped, and continue to help me along the way.