Hello — we’re implementing an OIDC-based auth flow where our clients (MSAL apps) need to pass per-request contextual values (for example: workstation, session_id, device fingerprint) and have those values appear as claims in the tokens Okta issues (ID token or access token).
Important constraints
-
This is an enterprise environment with strict networking: we cannot expose a public HTTPS endpoint that Okta would call (so Token Inline Hooks that require Okta → our service callbacks are effectively blocked).
-
Okta acts as the OIDC IdP and federate authentication to ADFS for users.
-
We control the client code (MSAL), ADFS, and backend services, but cannot open inbound tunnels from Okta to our network.
What we want
-
Per-request (dynamic) values provided by the client at the time of authentication — e.g.,
workstation=DESKTOP-007— to be available as claims inside the Okta-issued token. -
Prefer a solution that requires minimal infra changes and no public endpoints.