In my use case, I have a portal and a separate app that has
exposed a few REST APIs. Both the portal and the API app are in the CoT.
The goal is for the portal to contact the API acting as the user. The
API app is a SaaS and does not currently support Oauth2 so that is not
really an option. I like what Microsoft is suggesting in the technet.