This is getting a lot of heat. Let me talk about how you can do this today. I should have put this information in here before, I left out the information on what you need to do to the email.
There is another email macro you can use, I think y’all are aware of ${activationLink}, there is also ${activationToken}.
With this, you can modify the activation email to point to your own application:
https://myapplication.com/activate?token=${activationToken}
After your application gets the token, you can activate the user by an API call: Primary authentication with activation token
From here, you can get the sessionToken and exchange it for an id_token and/or access_token as normal using the authorization route:
https://developer.okta.com/docs/api/resources/oidc#authorize
Let me know any questions about this, we are still working on pulling our email verification and activation APIs so they can work correctly for OIDC flows. This is the workaround we have for now