We have an existing System A (UI and backend) that utilizes OKTA for access control. When a user requests data, e.g. searching, the access token and the API key plus some other details are passed to a backend API. System A has its own OKTA client ID & secret, authorization server, and API key.
Now we are implementing a new System B that calls some of the System A APIs directly, e.g. https://system-A-domain-url/api/getFilteredStores. This will be REST calls. Is it possible to design the OKTA access permission for System B so it can obtain an OKTA access token (through a REST call using System B client ID and secret, authorization server) and pass the token, its API key plus other required details to the System A getFilteredStores endpoint to retrieve some info?
Basically we don’t want System A and B share same credential client ID, secret, API key, and authorization server (if it’s possible). Is this type of setup possible? If not, do you have a better idea? We cannot change whatever we have implemented in System A.
System A was designed as end-user - backend interaction. A user is authenticated through OKTA login, the access token is stored and passed to backend API. It is deployed with AWS CloudFront.