authentication – How to authenticate OAuth2 confidential client is making a REST call?

We are looking to implement some REST services to be called from partner servers (not end users via a browser).

The out-of-the-box implementation seems to flow thusly:

  1. Partner server passes a client id and client secret to our OAuth server, which will use them to generate and pass back an access key
  2. Partner passed the access key as a bearer token in the HTTP request header on every API call

Is this how OAuth2 is supposed to work for confidential clients?

How is client id / client secret different from a username and password? It seems that the can become copied or compromised to allow anyone with network access to our service to forge a request. Granted, that mostly just includes employees, but we need to secure against them too. It also seems that we are trusting our partners to keep the client id and client secret secure but that, if they fail to do so, it is OUR services that get put at risk.

Is there a stronger way to authenticate that the server making a REST call really is the server that we want to authorize? E.g., can X.509 client certificates be used? Would that be normal / state of the art?