Configure Okta as an OpenID Connect Identity Provider

This article walks you through configuring Okta for use as an OpenID Connect identity provider.

Configure Okta

Log in to your Okta account. If you don't already have one, you will need to create one.

On the general Okta dashboard, click Admin. This takes you to the Okta Admin Dashboard.

Okta Dashboard

Using the list of shortcuts at the right-hand side of the screen, click Add Applications.

Okta Admin Dashboard

On the Add Application page, select Create New App.

Create New Okta App

On the Create a New Application Integration pop-up window, select the Platform for your application, and choose Open ID Connect as the Sign on method. Click Create to proceed.

Create OpenID Connect Integration

You will now create your OpenID Connect integration. On the General Settings page, provide the following:

  • App name;
  • App logo (optional);

OpenID Connect Integration General Settings

Click Next to proceed.

Next, you will see the Configure OpenID Connect page. Enter the following values into the appropriate fields:

  • Redirect URI: https://YOUR_AUTH0_DOMAIN/login/callback

OpenID Connection Integration Configure

Click Next to proceed.

You'll be directed to the General page for your newly-created app.

General Configuration Information

Scroll down to the Client Credentials section and take note of the Client ID and Client Secret.

Configure Auth0

At this point, you will configure the integration from the Auth0 side.

Auth0 supports creating custom OpenID Connections by using the Custom Social Connections Extension. Follow the guide to Setup a New Social Connection and use the following values for the connection settings:

  • Name: The name of the connection. Use a name that clearly identify the okta account, you are free to name the connection whatever you would like;
  • Client ID: Use the Client ID you obtained in the General page of your application in Okta;
  • Client Secret: Use the Client Secret you obtained in the General page of your application in Okta;
  • Authorization URL: Set https://{okta-account}/oauth2/v1/authorize, replacing {okta-account} with the DNS name of the Okta account where you registered the application;
  • Token URL: Set https://{okta-account}/oauth2/v1/token, replacing {okta-account} with the DNS name of the Okta account where you registered the application;
  • Scope: The scope parameters to get the profile, as a first approach you can use openid email profile;
  • Fetch User Profile Script: Use the following Script, replacing {okta-account} with the DNS name of the Okta account where you registered the application.
    function(accessToken, ctx, cb) {
      request({
        url: "https://{okta-account}/oauth2/v1/userinfo",
        method: "GET",
        headers: {
            "Authorization": "Bearer " + accessToken,
            "Content-Type": "application/json"
        }
        },
        function(e, r, b) {
        if (e) return cb(e);
        if (r.statusCode !== 200) return cb(new Error('StatusCode: ' + r.statusCode));
        profile = JSON.parse(b);
        profile.user_id = profile.sub;
        delete profile.sub;
        cb(null, profile);
        }
      );
    }
    
  • Custom Headers: Leave it empty

Click Save to proceed and then continue following the instructions to enable the connection in your applications