Best Practices for creating an authorization server for API Management (Client Credential Flow)
I’ve been tasked with implementing an OAuth2 Client_Credential flow to secure our internal services. Instead of creating an authorization server per API with a couple scopes and maybe 1 policy, could I create just one authorization server with many scopes but add per client application policies to restrict access?
My name is Tomas and I'll be assisting you with this question. There are no best practices for this, but this can be achieved by creating multiple rules inside the Access Policies. I have inserted the link for the documentation regarding this matter below: