Entra ID uses OAuth 2.0 RFC 8693 to propagate identity to API gateways for AI access control
Referenced standards
- OAuth 2.0 RFC 8693Open standardSteward: IETF
Microsoft Entra ID issues OAuth 2.0 access tokens and participates in RFC 8693 token exchange flows that delegate access between APIs, while API gateways in the API Gateways and Data Mesh Gateways for AI Access category validate Entra-issued JWTs and forward authorized requests, allowing standardized token exchange and validation at the A–B interface to enforce identity-aware AI API access.
Linked Evidence
Microsoft Entra ID supports all OAuth 2.0 flows and issues access tokens that clients use to call protected resources, positioning Entra ID as a general OAuth 2.0 authorization server.
OAuth 2.0 authorization with Microsoft Entra IDA technical article demonstrates implementing the OAuth 2.0 Token Exchange delegated flow defined by RFC 8693 between two APIs, with one API using Microsoft Entra ID for authorization and exchanging its access token for a downstream API token.
Implement the OAUTH 2.0 Token Exchange delegated flow between APIsRFC 8693 specifies the OAuth 2.0 Token Exchange protocol, allowing a client to present an existing token to an authorization server and receive a new token suitable for a different resource.
RFC 8693 - OAuth 2.0 Token ExchangeAzure API Management documentation shows that a user or application acquires a token from Microsoft Entra ID, sends it to the API gateway, and the gateway validates the JWT before forwarding the request to the backend API.
Protect API in API Management using OAuth 2.0 and Microsoft Entra ID