I need a way for a non-web service to obtain it’s own set of client credentials at the time of install in order to get an access token for a web service that is using API access management. Is this possible with the dynamic client registration API somehow without having to provide an API token? If not possible, any suggestions?
I am thinking out loud - have the client credential safeguarded by a separate web service. The web service requires authentication with an access token. An interactive login process (e.g., Okta OIDC) is required to get the access token. The interactive login process means a human user must login during the install process.
That is a good solution if an interactive install is taking place. In my case this would be installed in a non-interactive fashion via group policy. What we’re thinking right now is to provide the client id and secret via the command line. We wouldn’t be able to get a unique client id per installation but we could at least vary it by region so that a revocation wouldn’t break 100% of the install base. Not quite what we wanted but it’ll work. Considered providing an API key via the command line and then revoking it after the install completes, but can’t seem to get a minimum acceptable set of admin rights to only create applications… Also the issue of updating any access policies is not addressed.