Hello,
While developing Application based OAuth flow, we identify that application1 can request access token for another application2 using resource id(application id) implicitly.
However this shouldn't be a case there should be a proper access mechanism for application1 to request access token for application2.
Current Scenarios:
Provider creates an application(Application2) in AAD and adds app roles.
Consumer creates an application(Application1) in AAD and use Application2's application id to get a access token.
Output:
Application1 receives an access token with no app-roles.
Desired output:
Application1 shouldn't be able to generate token for application2 , since it doesn't have access to application2.