So my goal is create an OIDC integration for the OIN. I have the basics working in my dev instance, but my question is about getting the baseUrl as a part of the OIDC flow.

Now, when a user clicks into my app from Okta dashboard, Okta sends them to the initate login URI which includes the tenant’s base url in the iss query param like initiate-login?iss=https%3A%2F%2Fdev-xx.okta.com. With this information I can redirect the browser to the authorize URL based on the url ie: dev-xx.okta.com/oauth2/v1/authorize. Okta then redirects to the Redirect URI that includes the authorization code so like localhost:8888/callback?code=CODE. However, now I have no idea which Okta instance they came from to make the call to get the access token? Is there a standard way to do this?

Obviously, I can require the Okta admin to add some kind of query param to the Redirect URI, but is that recommended way to build something for the OIN? I would prefer that they have to do as little as possible.

Is it ok to send something along in the state query param that I can use to identify which okta org (and thus base Url) they came from?

You could send it in the state query parameter as you have mentioned. If your app supports a different redirect_uri based on tenant, you can configure that in the submission form as well.

Screen Shot 2021-12-07 at 7.59.17 PM1530×770 58.5 KB

https://developer.okta.com/docs/guides/submit-app/openidconnect/submission2-specific/#protocol-specific-settings

Thank you @warren! I had read that documentation but since I’m developing this via the AIW (where this option doesn’t seem to exist) I couldn’t quite picture how it worked. Your screenshot makes it super clear and now I realize I can vary the Redirect URI per tenant with pretty minimal work for the end-users.