I went through the SSO tutorial here: Overview | Okta Developer
However, the tutorial unfortunately doesn’t tell you anything about what to do on the backend side. I download the sample app (in Go) and I think it’s more geared towards basic OAuth as opposed to SSO? samples-golang/okta-hosted-login at master · okta/samples-golang · GitHub
I am left with a few questions:
When a user wants to be redirected to the log in page, shouldn’t the “issuer” here be whatever organization they belong to? If you click on the following link, it’s getting the issuer from the environment which would be hardcoded to the app’s original organization: samples-golang/main.go at c7a168ec4d1eac295bf8325f9577ab0de133b72b · okta/samples-golang · GitHub
When the oauth callback endpoint is called, the “exchange code” function is again using the hard-coded issuer which is my app’s original Okta organization. Which I’m okay with here, since we are passing the client id/secret. However, will it know which organization the user is actually signing on to and would it return it in the claims properly? samples-golang/main.go at c7a168ec4d1eac295bf8325f9577ab0de133b72b · okta/samples-golang · GitHub
Given the confusion above, is there a way for me to test multiple organizations using my app before officially submitting my app to OIN? I’d like to make sure that my backend code can correctly handle distinguishing organizations before going to production.