Hi,
Our web service already supports OIDC for Google and Microsoft. Now we already implemented a multitenant login flow using Okta as an identity provider. Our flow is that when an external OKTA tenant that wants to log in to our web service creates an OIDC ‘app’ in their Okta and submits the client ID and secret to us. Then we create an external IDP in our okta using their domain name and the aforementioned client ID and secret. We are also setting up dip discovery rules for each IDP which includes one or more domains.
The login is initiated by Okta hosted login page and the OIDC authorize URI points to our Okta org. Our okta receives the login request and based on the user domain it redirects to the appropriate external IDP.
If authentication is successful tokens are returned to our service. We also configured our backend to validate the ID token with the public JWKS which can be found at the /.well-known endpoint for each org.
Now my question is can we publish the OIDC ‘app’ that each different tenant has to integrate into their okta? Will the published app take care if IDP discovery without the need to configure it on our end? What would be the benefits of publishing the ‘app’ in comparison with our current approach?
Thanks in advance,
Hristo