I am struggling a bit with understanding the proper approach using Okta OIDC to secure our API services that we share with our external business partners.
We support SOAP and XML over REST to as a means to access our services. We currently support basic auth and 2 way certificate auth to secure these services.
We would like to support OAuth/OIDC via Okta but are unsure about what grant flow to use. We think the Client Credentials flow makes sense for us, but have lots of questions:
- Does our partner need a client id and client secret?
- If so, do we set that up in our Okta instance and provide to our partner?
- Is there another recommended approach to handling how our partner obtains the id/secret, access token?
Thanks for any assistance or links to pages that help to clarify some of this,