Kevin,
There are currently no plans (as such) to allow APIM access tokens to be used by other resource servers. There are clear benefits, but the key reasons why there not at this point in time:
- Third parties need to manage their own authorisation
- There isn’t a clear national proposal on how to manage this
- If we were to put a system in place, we would want to use OAuth token exchange ( RFC 8693), which has two benefits:
- The third party implements their own OAuth server
- Helps reinforce the responsibilities split for authorisation