Hi @jmangelo! Thank you for the response here. Here is my use case:
We have a client that has a couple different set of OAuth2 endpoints within their IdP. But essentially, after a user “signs in”, we want to be able to test a custom query string that is returned back to the SP in the authorization code redirect response, that tells the SP to continue with a different set of OAuth2 endpoints.
The flow would look like:
1.) User is redirected to
authz URL A, signs in with their username/password, IdP determines that user needs to authn with a different set of endpoints/configuration and sends back a querystring in the redirect back to the SP (instead of erroring out, before any token requests)
2.) SP catches querystring, then redirects to another
authz URL B. Because the user already authn and has a valid session within the IdP, we just continue on with the OAuth2 flow behind the scenes and the user is then authn into the SP
It’s sort of a “fail over” approach under the hood, with the main goal here is to prevent the user from having to type in their username/password twice.