authentication – Autherization flow – one party accessing another party as third party – is this a correct way to do so?

I’ve been suggested an authorization flow between three parties that seems not secure to me, and I would like to know if I’m assuming correctly.

Let’s say Party A has many customers (one of them let’s call it Customer X) with data in Party A.

Party A is allowing Customer X to get data from their API. In order to do that:

  • Customer X downloads a client_id and client_secret
  • Customer X uses client_id and client_secret to hit the /auth endpoint
  • /auth endpoint returns a token.
  • Customer X now uses the token in an authorization header (Authorization: Bearer YOUR_TOKEN_HERE) to hit API endpoints

Until this point this makes sense to me.

Now, let’s say that we include Party B, which wants to access data in Party A in behalf of Customer X. What Party A is suggesting to do is:

  • Customer X downloads a client_id and client_secret
  • Customer X goes to Party B and stores client_id and client_secret there
  • Party B uses client_id and client_secret from Customer X to hit the /auth endpoint
  • /auth endpoint returns a token.
  • Party B now uses the token in an authorization header (Authorization: Bearer YOUR_TOKEN_HERE) to hit API endpoints in behalf of Customer X

To me it seems weird that Party A will encourage Customer X to bring that client_id and client_secret to another party.

I want to know if this is a normal flow, and if it isn’t, suggest what is the most common way for Party B to access Party A data in behalf of Customer X.