If we have use-case where list of API is consumed only by Third party APP/ 3rd party Developer then how do the API registration and exposure is managed ? Is this similar way a User login to Portal and getting the Key/Secret ?
for the third-party app, it is suggested to use the Authorization code grant type.
yes, the process of getting the client id and secret is the same. Only the flows will change.
first the app will forward to the authentication server for the authentication of user. Then it will take the consent of the user to get the resource information. Now the user will get a code. In the next call to the Authentication server the code will be sent in the request to get the access token and then the actual call will happen to get the token validated and response is retuned back.
It is three legged oauth.