Token Claims Validation Failed for InstallationClient (Error 10.4)
During the Nodinite installation pre-flight check you may see a VALIDATION FAILED message with one or both of the following errors:
ERROR: [10.4] Token claims validation failed for InstallationClient.
Required scope 'api://<webApi-client-id>/.default' not satisfied
ERROR: [10.4] Token claims validation failed for InstallationClient.
Required claim 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' is missing
You may also see a preceding warning:
WARNING: [10.3] No InstallClientId/InstallClientSecret values were provided in agent
configuration. Skipping live OAuth2 client_credentials token validation.
Why This Happens
The installation wizard performs a configuration validation step (check [10.4]) that verifies the Installation Client Scopes and Installation Client Claims fields are correctly set before attempting to connect to Entra ID. If either field is empty or mis-configured the installer aborts with VALIDATION FAILED.
There are two independent root causes — you may encounter one or both:
| # | Error Message | Root Cause |
|---|---|---|
| 1 | Required scope 'api://.../.default' not satisfied |
The Installation Client Scopes field in the Nodinite OpenID configuration is empty or contains the wrong value |
| 2 | Required claim '…/claims/role' is missing |
The Installation Client Claims key/value pair is missing or incorrect in the Nodinite OpenID configuration |
Additionally, even if the configuration fields are correct, the installation will fail at runtime if admin consent has not been granted for the AppRole_WebApi_all application permission in Entra ID. The warning [10.3] about skipping live validation means the installation wizard could not perform a live token test (no live credentials supplied), so only the static configuration check ran — the runtime failure would surface later during the actual installation.
How to Fix
Work through the checklist below. Most cases are resolved by completing steps 1–3.
Step 1: Verify the Installation Client Scopes Field
In the Nodinite installation wizard, navigate to General → Installation Client Scopes and confirm the value is:
api://<webApi-client-id>/.default
Replace <webApi-client-id> with the Application (client) ID of your webApi app registration in Entra ID.
Example:
api://d731e991-1234-5678-90ab-cdef12345678/.default
The .default suffix instructs Entra ID to include all application permissions that have been granted admin consent for the client. If this field is blank or contains only scopes like openid or profile, the scope check will fail.
Step 2: Verify the Installation Client Claims Fields
In the Nodinite installation wizard, navigate to General → Installation Client Claims and confirm:
| Field | Required Value |
|---|---|
| Key | http://schemas.microsoft.com/ws/2008/06/identity/claims/role |
| Value | AppRole_WebApi_all |
This tells Nodinite which claim in the access token identifies the installation client as an authorized daemon. If the key is missing or uses a shortened form (e.g., roles) the validation will fail.
Step 3: Verify Admin Consent for AppRole_WebApi_all
In the Azure Portal, confirm that admin consent has been granted for the AppRole_WebApi_all application permission on the NodiniteInstallationClient app registration.
- Navigate to Microsoft Entra ID > App registrations > NodiniteInstallationClient.
- Select API permissions from the left menu.
- Confirm
AppRole_WebApi_allis listed under Configured permissions. - Check the Status column — it must show Granted for [Your Tenant].
- If the status shows Not granted, click Grant admin consent for [Your Tenant Name] and confirm.
Warning
Only an Azure AD Global Administrator or Privileged Role Administrator can grant admin consent. If you do not see the Grant admin consent button, contact your Azure AD administrator.
Without admin consent, Entra ID will not include the AppRole_WebApi_all role in the access token even if all settings in the Nodinite wizard are correct. The roles claim will be absent and Nodinite will deny the request.
Step 4: Verify the Application Permission Exists
In some cases the application permission was never added to the NodiniteInstallationClient. Confirm it is configured:
- Navigate to Microsoft Entra ID > App registrations > NodiniteInstallationClient > API permissions.
- Check that
AppRole_WebApi_allis listed under Configured permissions with type Application. - If it is missing, add it:
- Click + Add a permission > My APIs > webApi.
- Select Application permissions (not Delegated).
- Tick
AppRole_WebApi_alland click Add permissions. - Grant admin consent (see Step 3).
Step 5: Verify requestedAccessTokenVersion on webApi
The NodiniteInstallationClient uses the client credentials flow. Entra ID issues a v2 token only when the receiving API (webApi) declares version 2. If version 1 tokens are issued, the roles claim format differs and validation may fail.
- Navigate to Microsoft Entra ID > App registrations > webApi > Manifest.
- Find
"requestedAccessTokenVersion"and confirm it is set to2. - If missing or set to
null/1, update it to2and click Save.
Verification After Fixing
After applying the fixes, re-run the installation script. A successful pre-flight check for check [10.4] looks like:
[10.4] INFO: InstallationClient token claims validation passed.
If you still see errors, collect the full installation log and contact Nodinite Support.
Quick Reference Checklist
- Installation Client Scopes =
api://<webApi-client-id>/.default - Installation Client Claims Key =
http://schemas.microsoft.com/ws/2008/06/identity/claims/role - Installation Client Claims Value =
AppRole_WebApi_all -
AppRole_WebApi_allapplication permission added toNodiniteInstallationClient - Admin consent granted for
AppRole_WebApi_all -
requestedAccessTokenVersion=2in thewebApimanifest