B is A’s customer. A has App in Okta App Catalog like Salesforce, Autodesk Cisco Webex. That’s support synchronize B’s users/groups in Okta to orgA by SCIM protocol.
As I know orgB admin can manually
create SCIM app
Or create OAuth client and share client id/secret or provide API Key to others services. Others can create SCIM App and assign users/groups to App if scopes granted
But what i want is Precondition: No SCIM App , OAuth client or API key configured in OrgB
3. B authorize A to manage its apps, users… e.g
3.1 A open Okta’s authorization page require some privileges like app management
3.2 orgB admin input username and password in the page
3.3 orgB admin confirm authorization
4. A authorized by B
5. A can create OAuth client , SCIM App under orgB(orgB.okata.com) . So orgB admin doesn’t need to do these things manually
The scenario in the doc is B create the OAuth client and share client the A manually
But what i want is A create the client for B automatically after authorized by B.
The authorization process is like i describe
3.1 A open Okta’s authorization page require some privileges like app management
3.2 orgB admin input username and password in the page
3.3 orgB admin confirm authorization
OrgA get access token with OAuth and access orgB resource
Normal Case (supported already)
orgA page or service send request
Get https://{orgB_domian}/oauth2/v1/authorize?client_id=client_provided_by_B&scope=…
Post https://{orgB_domian}/oauth2/v1/token with above client after OrgB admin input username & password in page
Expected
orgA page or service send request by A’s client Id
Get https://{orgB_domian}/oauth2/v1/authorize?client_id=client_from_A&scope=… OrgB admin input username & password and confirm authorization
Then orgA send request
Post https://{orgB_domian}/oauth2/v1/token with client_id=client_from_A
Basically,A access B‘s resource using A’s own client after B authorized to A’s client