Well, unlike a few months ago when I tried it, its now working. What’s working? the oauth2 interaction between Microsoft API manager and AAD (and the backend IDP)
We set it up by configuring oauth AS in the management console, having created an AAD app in our tenant to complement that oauth consumer definition:
rapmlsqa.com app in AAD, to workin with api management consumer of oauth tokens
On the API itself, we bind the api endpoints security guard to this new AS (the AAD app):
Over on the developer portal, we can use the built-in test client:
which we can authorize using AAD (so the client gets authorization codes and tokens to talk to the API)
We see in the handshake that the client UA does talk to the remove API CLIENT which does attempt to convert the acquired code grant into a token. BUT FAILS (STILL).
The code still does not provide the resource ID on the token endpoint.