The token inline hook sends a request that is defined by context that exists around the end-user and the client. However, there are few cases where the application holds state data that may need to be passed to the hook service.
When making an authorization request with a
authorization code flow, you can pass along a
state query parameter in the
/authorize url. This state will be available in
More Information: https://developer.okta.com/docs/reference/api/oidc/#request-parameters
With a client credential flow, there is not state parameter available. However, the
/token url that triggered the hook will be passed along in the request payload. Thus, by appending additional query parameters to the token request, these parameters will be available in the webhook to be parsed.
In this instance, we can reference the url through
data.context.request.url.value and use code to parse the
myStateParameter in the url and derive the value (hello+world).
A simple example to parse the
It's important to avoid passing along sensitive data through the request parameters, despite being encrypted through HTTPS, these url are logged in the Okta system log. Thus, if you need to pass along sensitive data, it's best to query behind your service / back channel.
Credits to Brandon Him for the initial recipe.
Feel free to contribute support for other languages by submitting a PR.