OpenID Connect (OIDC)-based MFA as a Service - BETA

Prerequisites

Follow the steps below to setup an OIDC application in Okta and provide the artifacts (Okta org URL, clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. _id, client_secret) to your application.

Configure Okta

Configure Your Application

References and Notes

Nonce implementation notes: http://openid.net/specs/openid-connect-core-1_0.html#NonceNotes

The requesting application (RP) should bind the nonce to the "session" its own side (by generating the nonce from a hash of the local "session id" if possible). It should then verify that the nonce which came back inside the signed ID token matches the one it sent in on the authorize request.

Request exp should allow sufficient time for clock skew and latency

Top