There are a lot of options out in the wild, and with cookies becoming true bete noirs, most platforms are switching to some type of proper tokenization to allow for persistence. Microsoft’s PRT (Primary Refresh Token) shows promise, but every tokenization scheme has its pros and cons.
Yeah. And MS is heavily embracing oauth. What I work on integrates with MS a lot. So I’ve been beating my head against the oauth wall frequently as they roll to another app and another and another. Biggest problem being that they’re MS and they just have to do things a little different than the standard. “We want to put your tenantId that doesn’t exist in oauth into your issuer URL, why, we’re MS, just do it.”