I’ve been hooking up all the various complex elements of your auth solution and have hit a barrier when trying to request an access token. I’m sure you’re familiar with this “requires consent” problem even when the skip flag is enabled. The issue is that it doesn’t work with http://localhost. We do front-end development locally against a development tenant and need to be able to use our current local development solution without jumping through a ton of hoops to get local SSL up and running.
Furthermore, this “Requires consent” issue is extremely poorly documented. Granted it’s part of the OpenId spec, but it’s unclear how this relates to API roles and permissions, which are often controlled by the application owner, and not by the user.