We have a SAAS App and 2 customers, Customer A and Customer B. Both customers are using OKTA and have their own instance. We are looking to integrate OIDC and have created an Okta Developer account and created an Okta App.

We are closely following the code example here: https://developer.okta.com/blog/2018/07/09/five-minute-php-app-auth

We have mostly everything working, except when we receive the CODE param in the redirect URL from OKTA. We don't know how to work out if the flow is for Customer A or Customer B.

As when converting the CODE into a TOKEN using the code below, it requires us to pass in the correct Client_ID and Client_Secret but how can we detect which Customer has initiated the login request (Customer A or Customer B?) and know which Client_ID to use in the below code:

$response = http($metadata->token_endpoint, [

'grant_type' => 'authorization_code',

'code' => $_GET['code'],

'redirect_uri' => $redirect_uri,

'client_id' => $client_id,

'client_secret' => $client_secret,

]);

$token = http($metadata->introspection_endpoint, [

'token' => $response->access_token,

'client_id' => $client_id,

'client_secret' => $client_secret,

]);

if($token->active == 1) {

$_SESSION['username'] = $token->username;

header('Location: /');

die();

}