the Azure API Manager web app (a web service proxy) has a developer console - that makes oauth2 calls to AAD just fine. Up pops a browser windows that concludes authorization, and the web app attempt to convert code to token.
AADSTS rejects the request, objecting to the lack of resource parameters, in the posted parameter set.
MSDN markets the resource parameter as optional.
So how does one configure an AAD app so that the consuming app does NOT need to nominate the resource?
Essentially, the app is a classical oauth2 webapp, acting as a confidential client, having a clientid/clientsecret credentials and the redirect secret.
This use of api manager to send oauth2 request is NOT related to a similar oauth2 integration between APIM and AAD, in which one logs into the developer web app itself, using an openid connect flows.