OIDC iss parameter in URL


I have implemented 2 OIDC SPA apps that are accessible through direct link or through Okta dashboard. I have an interrogation that I can’t answer reading Okta admin or developer documentation so I’m trying here.

The redirect URI has this format : https://app.client.com/login/callback

But when we try to reach to the app using Okta’s App Embed Link, SSO works fine but the final URL has this format : https://app.client.com/login/callback?iss=https%3A%2F%2Ftenant.okta.com)

I know iss stands for issuer which but why is it in the URL as a parameter and what can we do to avoid this ?

This is the configuration of our app :

Thank you

This is by design. With the “Redirect to app to initiate login (OIDC Compliant)” option checked, Okta will redirect the user to the app URL with iss in the query string. Your app is expected to start a new OpenID Connect flow to the designated issuer.

1 Like

Alright I didn’t know that. So the application should process the URL with the query string then start a new OpenID flow (that could allow redirect or change the URL ?).

What would imply switching to “Send ID Token directly to app (Okta Simplified)” ? I never really look down on thoses 2 different “Login Flow”.

Thanks !