Should I verify okta's OP in case of custom Org domain?

Sorry for probably stupid question, but lets’ say I expose Initiate login URI where I got iss query parameter later from Okta requesting me to start SSO flow. Let’s say okta’s requesting Org has custom domain and I can’t check that request is from and if I start negotiating with such OP isn’t it possible that I can just send my client secret to some fake OP that some how knew my Initiate login URI and sent me a request?

You could try appending /.well-known/openid-configuration to the iss url and then make a GET request to it to see if you get a valid response back.

1 Like

but malicious host can mimics that response easily, there’s no way to authenticate okta’s response, isn’t it?