Praveen:
not sure what you're aiming for but here are a few comments:
It looks like you're moving the trust boundary here. in the first example, the app needs to validate both the app and the user identities (via OKTA) before exchanging messages w/ the "MyBusiness" service. in the second example, i looks like there is some implicit trust between the app and some intermediate layer (labeled "partner mobile app" in the diagram, but i think you mean something else?) and this secondary layer needs to validate w/ OKTA before passing *that* token to your mobile app.
if i have this right, i don't recommend the second option. in fact, i'm not even sure the second option is valid (a middleware component getting the OKTA token and passing that token to some other app that then replays the token to your MyBusiness component). and even if it does work, it seems very unsecure (why does your service trust some app that has not talked to OKTA but is using an OKTA token?)
in my work, any app that wants to talk to one of my services, needs to do their own validation work and pass the results to my service where my service validates against the IDP before anything else happens.
hope this helps.
Mike Amundsen
APIs, Microservices, and Digital Transformation
7310 Turfway Rd. Suite 550, Florence, KY, 41042