Isn't passing the sessionToken as a query param on OIDC authorization endpoint having some security concern?

While exploring the custom login ui with OIDC public client auth code grant, I noticed that i must pass in sessionToken as the custom query param to the authorization endpoint so that it wont prompt me to okta login page.
It works, but i do have concern on the security risks. Isn’t it expose something similar to the implicit grant where the access-token is exposed to the redirected url ?

E.g. of authorization endpoint${sessionToken}

sessionToken is a one-time thing. Intercepting it won’t make any good for further re-use

1 Like

yes, has done more testing here.
“sessionToken” will result in a “sid” httpOnly cookie and “sid” will be taking over after this
“sessionToken” is not re-usable, this is unlike the access token scenario