I just wanted to now if there is an OIDC standard (or from other foundation), RFC or others (in draft, complete or incomplete) regarding integrating extra steps in an authentication flow (ex. "Authorization Code Flow").
My use case would be to integrate redirects to external pages to add more claims to the original token (ex. "Identity Proofing" solutions)...
More like a redirect/callback flow that allows that id_token "augment".
I have already revisited current OpenId Specs and solutions from popular IdPs (Okta, Auth0, Azure B2C...) and all of them appears to implement their own solution:
Is there no standard for this procedure? Like something related with OIDC federation maybe?
Custom behavior is outside of standards:
OAuth does not define how user authentication works, yet it is always there in user based flows
OpenID Connect puts additional rules into what happens before and after authentication, but again does not define how it works
Extensibility is usually managed by some kind of plugin that adds extra steps to the behaviour of the authorization server. Examples might be:
A custom claims provider that looks up extra claims to include in the access token at the time of token issuance, eg by calling an API that you provide
A custom screen for a bespoke authentication method, eg entering a patient identifier in a medical authentication workflow
How the plugin model works is up to the implementers of the authorization server, and is not standardised. In many real world systems it can be a critical requirement though. In such cases, ensuring the right extensibility is one of the main factors when choosing an authorization server. Some of them support only very limited customization.