What Ory solution would be best here (fosite, hydra, or kratos). Also looking for advice on overall oauth2 setup.
• Company uses Okta for SSO
• We have a react.js SPA
• We have a headless REST based API
• We want to secure our API as well and provide auth via users through Okta as well as access from external systems (client credentials).
Our SPA is currently setup with PKCE and we are working out details of securing the API side of things using OAuth2. We'd ideally like the token generation to be consistent regardless of coming from Okta or via client credentials flow.
I'm not exactly clear here in understanding, but from reading around it seems like our UI would first retrieve a token from Okta through OIDC PKCE flow, then use that to exchange for a token generated by our auth service by calling something like
/oidc/okta/login
to kick start the OAuth2 flow. This endpoint would handle verifying the clients key with Okta and then generating a new access token for the client to use against the API.
For client credentials, we would have something like a generic OAuth2 handler, initiate URL would be
/oa/login.
Does this seem correct? If so, what would be the best fitting Ory solution here.