Clients shouldn’t peek inside access tokens
I am having a Twitter thread about why the Microsoft Graph- and only the Microsoft Graph- should be the one validating access tokens obtained by a client for calling the Microsoft Graph. However I am failing to explain that effectively in 240 chars quanta, so here I am – breaking a ~7 months…