Initiate Login URI Doesn't Send Email in Params

Hey there I have a Backend that talks to Multiple Okta OIDC Clients with same Frontend. I have Okta configurations stored based on Email. Now whenever I click on Initiate Login URI it redirects to the url?iss=OKTA_URL but in this I also need Email to in Params to initiate Login. Is there a way to add email to the initiate Login URI Params ?

This is not possible, at least not at this time. Okta’s SP-init login support is based off of the OpenID Spec for Third Party Initiated Login, which states which parameters will be sent to the SP upon redirect to the Initiate Login URI. No other parameters are designed to be passed along to the application.

Since this is an OIDC application, you should be able to get the user’s email within the token (presuming you request the email scope, of course) after your application initiates and completes the authorization flow.


Hey @andrea Let’s say I cater to multiple companies with the same product and each of the companies have a different Okta Client that they need to use. Now when I initiate Login from UI then I can take their email and using that I know which Okta Client my Backend is supposed to use while authorization using authCode and PKCE, But when OID Client Call initiated through Idp then it will redirect to my UI which would not know about the Okta Configurations to use to Login since I deal with multiple Okta Clients that is why we need email during the initiateLogin redirection. Can you help with this ?

I have heard a similar use case described before, where a single Okta org can have multiple instances of the same OIDC app configured and would like to have more information passed from Okta to the SP. I would think that the most useful information to receive would be the iss (so you can check the .well-known/openid-configuration endpoint) and the client_id (so you know which client to log the user into). This is not supported at this time, but I definitely recommend filing an Okta Idea so we can track this feature request

The only way I can think to accomplish this in the meantime would be to add this information in your initate_login_uri for the individual app.


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.