Idp redirect_uri is pointing to source org instead of /callback

Both ORG 1 and ORG 2 have singin redirect as /okta/login/callback. But on idp discovery the callback is https%3A%2F%2Fmy-first-org.okta.com%2Foauth2%2Fv1%2Fauthorize%2Fcallback instead of what defined in both orgs.

my ORG 1 has external IDP which is ORG 2.

the external idp call from React Widget:

https://my-second-org.com/oauth2/default/v1/authorize?state=bkVIVEhDdWhWRlZ3NFlUdlBBcEJDSnFpNThhRE5FWE1YOGUrRXBEU0JkOWgxcUorTGliTGhmSzVsMm0vNk56Vw&nonce=rYrC0LDeW5uLgJJE2Pr1CoxRUik-6m9W&client_id=0oao4y8u1vvW9pA2F5d7&redirect_uri=https%3A%2F%2Fmy-first-org.okta.com%2Foauth2%2Fv1%2Fauthorize%2Fcallback&response_type=code&login_hint=examples.com&scope=email+openid+profile

Screenshot 2025-04-03 at 10.24.21 PM1235×973 55.8 KB

If I manually change url to ../okta/login/callback - it works and I am able to sign as ORG 2 user. On the way back to my ORG 1 widget - I have token error- I assume due to redirect_uri being incorrect?

Would appreciate some help.
Thank you

I don’t understand, it sounds like the issue you’re running into is related to logging into an OIDC application not an OIDC Identity Provider

When Okta makes a request to log a user in via an OIDC Identity Providers, it will be handling the tokens being returned by that provider, so the redirect_uri will be a callback endpoint for the target Okta Org itself, either https://company.okta.com/oauth2/v1/authorize/callback (if using the *.okta.com domain to login) or https://{{customDomain}}/oauth2/v1/authorize/callback (if using a Custom Domain). That way Okta can validate the tokens returned by the IdP and create an Okta session for the user.

You’ll see this mentioned in the docs here: Enterprise Identity Provider | Okta Developer

–
How is your application triggering this request? Do you happen to be using a Widget with useClassicEngine set to true (or using a widget v6.x or lower)?

I have 2 orgs,

• First org is the one connected to my app and widget setup
• Second org is the test org with potential users that I need to authorize to sign in via the widget with idp discovery.

On the first Org I added external IDP which point to ORG 2 app (clientID and secret)

Goal:
Users from ORG 2 come to the widget and being able to seemingly sign in into my app even.

My setup NextJS:

Screenshot 2025-04-04 at 9.35.56 AM1348×1528 252 KB

Screenshot 2025-04-04 at 9.36.30 AM1460×454 57.1 KB

Screenshot 2025-04-04 at 9.36.13 AM1236×1442 155 KB

Screenshot 2025-04-04 at 9.35.26 AM838×166 18.9 KB

ORG 2 error with redirect_uri=https://org1.okta.com/oauth2/v1/authorize/callback when I manually change to redirect_uri=http://localhost:3000/okta/login/callback - it works, but after login into ORG2 I being send back to my app http://localhost:3000/okta/login/callback but getting error with token expired in the system log for ORG 1

Screenshot 2025-04-04 at 9.49.00 AM1006×226 8.17 KB

System log for ORG 2 when `redirect_uri=https://org1.okta.com/oauth2/v1/authorize/callback

Screenshot 2025-04-04 at 9.45.16 AM1278×272 9.51 KB

but works if change manually to redirect_uri=http://localhost:3000/okta/login/callback

@andrea I am just trying see if I missed anything. Would appreciate the help

Just to confirm, in your widget configuration, is it currently set up to point to Org 1 (in which there is an external IdP for Org 2)? E.g, the issuer URL and clientId are from Org 1?

Does login work if users log into Org 1 directly (without attempting to then route them to a target application)? You can test the IdP itself using a URL like this: https://OktaDomain/sso/idps/idpId, replacing OktaDomain with the URL for Org 1 and idpId with the ID of the Identity Provider created in Org 1 that points to Org 2.