We've implemented OpenId Connect for our UI front-end login using user credential flow, which redirect the user to a login page.
We would like to use OpenId Connect for our B2B APIs without the redirect flow.
Is there a flow were 3rd party user can login and receive an access/ID token and pass it to the our API? What is the best practice for such scenrio?
Thanks
To answer this properly it is important to identify the precise client side usage, since solutions are always driven based on this.
SCENARIO 1: OAUTH CLIENT IS A BUSINESS PARTNER'S BACK END
B2B APIs are most commonly called from code written by a business partner, perhaps in their own Web API. In this case the Client Credentials Grant is used, and it is possible to use Mutual TLS based forms of this for higher security.
A common setup is for the business partner UI to call the business partner API, which can then return data from your B2B API.
SCENARIO 2: OAUTH CLIENT IS YOUR OWN UI, USED BY BUSINESS PARTNER USERS
In this case the moving parts are as follows:
It is possible for the Authorization Server to perform a further redirect, so that users from business partners can sign in with familiar credentials. My Federated Logins Blog Post describes how this is configured.
YOUR SCENARIO?
If the above does not answer your question, please describe your scenario in more detail: