Configure Okta as OAuth2 Identity Provider

Configure Okta for use as an OpenID Connect (OIDC) identity provider using the following steps.

  1. Register Okta application.

  2. Obtain client ID and secret.

  3. Create Auth0 custom social connection.

  4. Set up custom Okta authorization server.

  5. Obtain authorization server URI.

  6. Update and test Auth0 connection.

Register Okta application

  1. Log in to your Okta account, and navigate to the Okta dashboard.

  2. Select Applications, then Add Application to create a new application.

  3. Select the Platform for your application.

  4. Provide the following information for your application settings:

    Setting Description
    Name Name of your application.
    Base URIs (Optional) Domain(s) of your application.
    Login Redirect URIs Set to: https://YOUR_DOMAIN/login/callback.
    Group assignments (Optional) User groups who can sign in to this application.
    Grant type allowed Grant types to enable for your application.
    The application settings fields may differ depending on the platform you choose.

  5. Click Done. You will be redirected to the General page of your new application.

Obtain client ID and client secret

  1. On the General page of your application, scroll to the Client Credentials section.

  2. Note the Client ID and Client Secret. You will use these when you configure the Auth0 custom social connection.

Create Auth0 custom social connection

  1. Set up a new OAuth2 social connection, using the following values for the connection settings:

    Setting Description
    Connection Name Connection name that identifies the Okta account.
    Authorization URL https://{okta-account}/oauth2/v1/authorize using the Okta account DNS name.
    Token URL https://{okta-account}/oauth2/v1/token using the Okta account DNS name.
    Scope Parameters to get the profile, such as openid email profile.
    Client ID Obtained from Okta.
    Client Secret Obtained from Okta.

  2. In Fetch User Profile Script, enter the following script, replacing {okta-account} with the Okta account DNS name:

        function(accessToken, ctx, cb) {
          request({
            url: "https://{okta-account}/oauth2/v1/userinfo",
            method: "GET",
            headers: {
                "Authorization": "Bearer " + accessToken,
                "Content-Type": "application/json"
            }
            },
            function(e, r, b) {
            if (e) return cb(e);
            if (r.statusCode !== 200) return cb(new Error('StatusCode: ' + r.statusCode));
            profile = JSON.parse(b);
            profile.user_id = profile.sub;
            delete profile.sub;
            cb(null, profile);
            }
          );
        }
    
    

  3. Leave Custom Headers blank.

  4. Click Create, then enable the connection for your applications.

Set up Okta authorization server

To retrieve custom claims from Okta, set up an Okta authorization server and configure your custom claims in the authorization server settings. For more information on creating an Okta authorization server and adding claims, see Okta's Set Up an Authorization Server documentation.

Obtain Okta authorization server issuer URI

  1. Log in to your Okta dashboard, and select Authorization Servers from the API menu.

  2. On the Authorization Servers page, locate the authorization server you created, and make note of the Issuer URI. The Issuer URI should have the following structure: https://{okta-account}/oauth2/{authorization-server-id}

  3. The Issuer URI will be used in the next step.

Update and test Auth0 custom connection

  1. Go to Auth0 Dashboard > Authorization > Social, and select your custom Okta connection.

  2. In the Settings section, update the following fields with your Issuer URI and the appropriate endpoint:

    Field Value
    Authorization URL https://{okta-account}/oauth2/{authorization-server-id}/v1/authorize
    Token URL https://{okta-account}/oauth2/{authorization-server-id}/v1/token

  3. Scroll to the Fetch User Profile Script, and update the request.url with your Issuer URI and the /userinfo endpoint. For example:

    function(accessToken, ctx, cb) {
      request({
        url: "https://{okta-account}/oauth2/{authorization-server-id}/v1/userinfo",
        method: "GET",
        headers: {
            "Authorization": "Bearer " + accessToken,
            "Content-Type": "application/json"
        }
        },
        function(e, r, b) {
        if (e) return cb(e);
        if (r.statusCode !== 200) return cb(new Error('StatusCode: ' + r.statusCode));
        profile = JSON.parse(b);
        profile.user_id = profile.sub;
        delete profile.sub;
        cb(null, profile);
        }
      );
    }
    
    

  4. Click Try to test the connection. If accepted, you should see the It Works! confirmation page. If not accepted, Okta may return a 400 error because Auth0 passes a redirect URI that points to the Auth0 tenant address. To learn more, read OIDC-Conformant Adoption: Single Sign-On and Prevent Attacks and Redirect Users with OAuth0 2.0 State Parameters.

Learn more