Skip to content

Okta

FeatureSupport
OAuth2/OIDC clients✅ Full
SAML clients✅ Full
Resource servers❌ Not supported
Client cloning✅ Full
  1. Create an API token

    In the Okta Admin Console, go to Security → API → Tokens → Create Token. Give it a name (e.g. Taco) and copy the token value immediately — it is only shown once.

  2. Set environment variables

    Terminal window
    OPENID_PROVIDER=okta
    OKTA_DOMAIN=your-org.okta.com
    OKTA_API_TOKEN=your-api-token
  • OAuth2/OIDC clients are created as Okta app integrations with signOnMode: OPENID_CONNECT (app type oidc_client). The Okta-assigned app ID doubles as the OAuth2 client_id.
  • SAML clients are created as custom SAML app integrations (template_saml_2_0) with sensible defaults (RSA_SHA256 signing, unspecified NameID format). Adjust attribute statements and signing certificates directly in the Okta Admin Console if you need finer control.
  • Apps are activated automatically on creation. Deleting a client first deactivates, then deletes, the underlying Okta app — matching Okta’s lifecycle requirements.
  • Resource servers are not modeled by Taco for this provider — manage Okta Authorization Servers and scopes directly in the Okta Admin Console.

To protect the Taco dashboard with Okta SSO, register a separate OIDC web app integration (authorization code flow):

Terminal window
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://your-org.okta.com
AUTH_CLIENT_ID=your-oidc-app-client-id
AUTH_CLIENT_SECRET=your-oidc-app-client-secret

Add <BASE_URL>/api/auth/callback/oidc to the application’s Sign-in redirect URIs.