I’d like to do it in redirect_uri (http://localhost/<session_id>/auth) but it wouldn’t work
How can I pass the <session_id> to the client, maybe in access_token or id_token?
I’m not sure to be honest, if there is such an expression in Okta EL to populate an additional claim for you with a session_id. Inline hook may help with that, as it has some information about the session.
Other thing, you can save your session on the calling side and associate it with a state, which will be returned back to you from Okta.
But maybe you can reconsider your case, what is the session for?
I have an invitation mechanism for user signup. Session-id contains information about the invitation, and I want to associate that session-id with access_token(or something) that the user will come from Okta.
Associating session-id with state possibly will fix the problem, but I want to find out a more pretty and explicit way to solve the problem
You may want to look at Token Inline hooks (a custom authorization server MUST be used if you want to go this route), like @phi1ipp mentioned.
If the session_id you’re referring to is not the same thing as the Okta session id, you can still get it in the data sent in a request to your webhook if its present in the authorize request url (say, as an additional paramter “session_id”). When Okta sends a request to your hooks endpoint in the middle of an OAuth flow, along with information about the claims for the tokens and information about the user and their session, you will also be sent information about the initiating request, including the request URL (located in data.context.request.url.value). See our docs for an example request body: Token Inline Hook Reference | Okta Developer
So if you include an extra parameter in the authorize call, you can pluck it out from the request body to the hook endpoint and then send a command back to Okta to add a claim containing that value.