While exploring the custom login ui with OIDC public client auth code grant, I noticed that i must pass in sessionToken as the custom query param to the authorization endpoint so that it wont prompt me to okta login page.
It works, but i do have concern on the security risks. Isn’t it expose something similar to the implicit grant where the access-token is exposed to the redirected url ?
E.g. of authorization endpoint