Sorry for probably stupid question, but lets’ say I expose Initiate login URI where I got iss query parameter later from Okta requesting me to start SSO flow. Let’s say okta’s requesting Org has custom domain and I can’t check that request is from something.okta.com and if I start negotiating with such OP isn’t it possible that I can just send my client secret to some fake OP that some how knew my Initiate login URI and sent me a request?
You could try appending /.well-known/openid-configuration to the iss url and then make a GET request to it to see if you get a valid response back.
https://developer.okta.com/docs/reference/api/oidc/#well-known-openid-configuration
1 Like
but malicious host can mimics that response easily, there’s no way to authenticate okta’s response, isn’t it?