My question is around the client ID and secret when going through the oauth flow to eventually get an access token. Most of my experience with oauth 2.0 is that you create your own app integration with client ID and secrets that you own, in order to authenticate with a third party account. But it appears Okta is unique in that I actually need the client ID and secret of the third party in order to obtain an access token from said third party.
Using OAuth for Okta allows you to interact with Okta APIs via scoped OAuth 2.0 access tokens.
Note that you can request an access token by making a call to your Okta org authorization server/authorize endpoint. Only the org authorization server can mint access tokens containing Okta API scopes. For more details, see Which authorization server should you use.