I’m using web applications secured with Azure Active Directory B2C. Those applications call services using JavaScript hosted by Azure API Management.
I was surprised to read that I can only secure front end APIs using App Keys or client certificate.
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-create-subscriptions
How can I secure those applications using an Oauth token?
You can configure B2C as an identity provider in Azure API Manager:
How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management
This article explains how to authorize access to the developers portal but think about the developers portal as "ANY API"
You can validate the JWT issued by Azure AD B2C using an API Management policy:
Take into account this detailed document that published a few months ago : https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
