diff --git a/x-pack/plugins/security/server/routes/api/v1/authenticate.js b/x-pack/plugins/security/server/routes/api/v1/authenticate.js
index b9423c3ec2d85..e24b31039b9cb 100644
--- a/x-pack/plugins/security/server/routes/api/v1/authenticate.js
+++ b/x-pack/plugins/security/server/routes/api/v1/authenticate.js
@@ -72,21 +72,22 @@ export function initAuthenticateApi(server) {
   });
 
   server.route({
-    method: 'GET',
+    // POST is only allowed for Third Party initiated authentication
+    method: ['GET', 'POST'],
     path: '/api/security/v1/oidc',
     config: {
       auth: false,
       validate: {
         query: Joi.object().keys({
-          iss: Joi.string(),
+          iss: Joi.string().uri({ scheme: 'https' }),
           login_hint: Joi.string(),
-          target_link_uri: Joi.string(),
+          target_link_uri: Joi.string().uri(),
           code: Joi.string(),
           error: Joi.string(),
           error_description: Joi.string(),
-          error_uri: Joi.string(),
+          error_uri: Joi.string().uri(),
           state: Joi.string()
-        })
+        }).unknown()
       }
     },
     async handler(request, h) {
@@ -112,43 +113,6 @@ export function initAuthenticateApi(server) {
     }
   });
 
-  server.route({
-    // POST is only allowed for Third Party initiated authentication
-    method: 'POST',
-    path: '/api/security/v1/oidc',
-    config: {
-      auth: false,
-      validate: {
-        query: Joi.object().keys({
-          iss: Joi.string(),
-          login_hint: Joi.string(),
-          target_link_uri: Joi.string()
-        })
-      }
-    },
-    async handler(request, h) {
-      try {
-        // We handle the fact that the user might get redirected to Kibana while already having an session
-        // in the same exact manner as with saml. Return an error notifying the user they are already logged in.
-        const authenticationResult = await server.plugins.security.authenticate(request);
-        if (authenticationResult.succeeded()) {
-          return Boom.forbidden(
-            'Sorry, you already have an active Kibana session. ' +
-            'If you want to start a new one, please logout from the existing session first.'
-          );
-        }
-
-        if (authenticationResult.redirected()) {
-          return h.redirect(authenticationResult.redirectURL);
-        }
-
-        throw Boom.unauthorized(authenticationResult.error);
-      } catch (err) {
-        throw wrapError(err);
-      }
-    }
-  });
-
   server.route({
     method: 'GET',
     path: '/api/security/v1/logout',