Ah, yes i can describe our use case.
Our internal AD is replicated towards Azure AD. All our staff is available in Azure AD also, for logon to the microsoft office cloud solutions.
Now when we are building mobile apps for use by staff members, we want to leverage Azure AD for authentication.
Using the Azure AD, the mobile apps can obtain an oauth token.
Then these mobile apps can call api's that are hosted on our internal infrastructure on premise and protected/authenticated by the CA API Gateway.
In this case, Azure AD is the IDP/authorization server, and the API GW is the resource provider.
To put this in an idea, i have to refer to F28201, do i just put it in the text somewhere?