Custom session_id via OIDC

didex · November 25, 2021, 6:56am

I would like to know the possibilities of passing my own session_id via OIDC auth flow
For example, we have a link and the <session_id>

https://${yourOktaDomain}/oauth2/default/v1/authorize?client_id=...&response_type=code&scope=openid&redirect_uri=http://localhost/auth&state=...&nonce=...

I’d like to do it in redirect_uri (http://localhost/<session_id>/auth) but it wouldn’t work
How can I pass the <session_id> to the client, maybe in access_token or id_token?

phi1ipp · November 29, 2021, 12:28am

I’m not sure to be honest, if there is such an expression in Okta EL to populate an additional claim for you with a session_id. Inline hook may help with that, as it has some information about the session.

Other thing, you can save your session on the calling side and associate it with a state, which will be returned back to you from Okta.

But maybe you can reconsider your case, what is the session for?

didex · November 29, 2021, 2:08pm

I have an invitation mechanism for user signup. Session-id contains information about the invitation, and I want to associate that session-id with access_token(or something) that the user will come from Okta.

Associating session-id with state possibly will fix the problem, but I want to find out a more pretty and explicit way to solve the problem

phi1ipp · November 29, 2021, 2:19pm

Keep us all updated, in case you will find it

andrea · November 29, 2021, 5:18pm

You may want to look at Token Inline hooks (a custom authorization server MUST be used if you want to go this route), like @phi1ipp mentioned.

If the session_id you’re referring to is not the same thing as the Okta session id, you can still get it in the data sent in a request to your webhook if its present in the authorize request url (say, as an additional paramter “session_id”). When Okta sends a request to your hooks endpoint in the middle of an OAuth flow, along with information about the claims for the tokens and information about the user and their session, you will also be sent information about the initiating request, including the request URL (located in data.context.request.url.value). See our docs for an example request body: Token Inline Hook Reference | Okta Developer

So if you include an extra parameter in the authorize call, you can pluck it out from the request body to the hook endpoint and then send a command back to Okta to add a claim containing that value.

didex · November 29, 2021, 6:18pm

Great! I guess it fits perfectly! Thanks, man!

system · November 30, 2021, 6:19pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.