We’re currently using Client Credentials Grant, but Salesforce does not provide a way to securely store Client Secret for this Grant Type.
Named Credential is Salesforce’s credential store feature.
Auth0 Client Credentials Flow
This is how we’re using it today. Where the “M2M App” is Salesforce and “Your API” is various systems that Salesforce integrates with. Auth0 acting as the IDP and providing Machine tokens (M2M) for Salesforce to further authorize into “Your APIs”.
This flow is a great fit for us because our users are none-the-wiser.
While SSO would be one path we can take to address this, I’m afraid that would be a longer path than we have an appetite for.
The second option you provided, if I’m reading correctly, the flow moves in the opposite direction. Inbound requests to Salesforce, rather than outbound from SF.
I’m not entirely sure which direction to go yet, but I am (on the SF side) investigating Named Credential OAuth 2.0 with OpenID, paired with an Auth. Provider registered in Salesforce.
Our goal is to persist current functionality (No user interaction during auth flow) and securely store authorization credentials in Salesforce.