Isn't passing the sessionToken as a query param on OIDC authorization endpoint having some security concern?

While exploring the custom login ui with OIDC public client auth code grant, I noticed that i must pass in sessionToken as the custom query param to the authorization endpoint so that it wont prompt me to okta login page.
It works, but i do have concern on the security risks. Isn’t it expose something similar to the implicit grant where the access-token is exposed to the redirected url ?

E.g. of authorization endpoint
https://dev-xx.okta.com/oauth2/default/v1/authorize?client_id=xx&redirect_uri=http%3A%2F%2Flocalhost%3A4200&response_type=code&scope=openid%20profile%20email&state=8d804fbfc5f94281b80bf5a0bb32d3e9&code_challenge=iiFi26b9V0OM97Jow5e42KRKAm5N2nK_kJBfMrZiYXg&code_challenge_method=S256&response_mode=query&sessionToken=${sessionToken}

sessionToken is a one-time thing. Intercepting it won’t make any good for further re-use

1 Like

yes, has done more testing here.
“sessionToken” will result in a “sid” httpOnly cookie and “sid” will be taking over after this
“sessionToken” is not re-usable, this is unlike the access token scenario

Thanks!