Background:
We have 2 distinct products that are installed in customer's on-premise location. Product A needs to expose an API which Product B needs to call. Product B wants to ensure the API is secure. Product A wants to also enable rate limiting/ quotas for API and link it to client id (here Product B shall have its own client id). Our preference is to use OAuth. The APIs are to be written using C# .NET and there is no API Gateway planned.
Questions:
- Can solution assume that enterprise customers shall have an OAuth server that can be used?
- Do products typically, when installed on customer premises, have the client ids generated for themselves and have required scopes approved?
- If OAuth server is not available with a customer, then how the use case can be achieved?