The selection of grant types is primarily performed by looking into the following aspects:
- The type of the client application
- What resources the client application wants to access
In the first point one of the things to consider is the environment in which the client application runs:
- browser-based -> implicit grant
- server-side -> authorization code grant and/or client credentials grant
- native application -> mostly implicit grant, but authorization code grant may also be considered
Based on this and what you described, the selection of implicit grant for RP X1 seems appropriate.
In relation to RP X2 it's not so clear-cut and we should review it from the perspective of which resources this application wants to access. Being on the server-side this application is capable of maintaining secrets and as such eligible for client credentials, however, this grant is suitable when the application wants to access resources that are associated to the application itself and not to a specific user.
If this application is going to access resources associated to a Company-X user account then it should use the authorization code grant.
The next diagrams illustrate this substantial difference between the client credentials grant and all the other grants. As you'll notice, there is no separate resource owner involved (in theory the resource owner is the client application itself).
Client Credentials
(source: Client Credentials Grant)
Authorization Code Grant
(source: Authorization Code Grant)
In relation to the architecture from my perspective it seems to be the correct approach. It uses public standards and caters for your requirements so I highly doubt it there are better alternatives. The big issue with authentication systems is not the design phase, it's the implementation itself, especially considering that making it "work" takes about 20% of the effort and the remaining 80% is ensuring that you didn't mess up.
