As we’re extending this project, we’re looking to have this Auth system work across several domains (ie, I can log in via Okta on either foo.com, bar.com, or baz.com, etc.). The issue we are running into is the callback from Okta: after we log in on the Okta page, we are redirected to the callback URI we specified in the Okta console, which is foo.com/auth/login. We know all the other domains we may want to redirect to, so we could hypothetically add bar.com, baz.com and so forth into the list of redirect URIs in the Okta console.
Is there a way to dynamically provide a cookie or parameter in passport-openidconnect so that we can specify which of those domains we want to redirect to for our callback URL?
You will want to add all the expected callback domains in Okta. This helps ensure safety in the authentication process. In passport-openidconnect, you can set the callback URL you expect in the configuration.
One way we approached this was by creating a passport strategy at runtime. You can see the code example here
And you can follow the entire tutorial on setting this up in this post. The post might include more flexibility than you’re looking for, but I think the basic info should carry over.
Thanks for the info! Recreating the strategy is doable, but not super ideal. Is there a way we could do something like pass a custom header to Okta that can be then returned? Ie, something like
And then the callback from Okta includes that ?origin=.... value?
I noted that the openid-connect module passes customHeaders, so would that be an avenue where I could set some customHeaders which are passed to Okta and then could be returned?
Or could this info be returned by adding the state parameter to the authorize URL like