I’m currently trying to hack Strapi to handle access_token directly instead of its own created jwt.
Then only the authorized client have to store the access_token, we would just verify it, verify claims and forward it to other services.
I’m not using the access_token from Microsoft for that, I’m using another auth server, so it may be slightly different than what you need.