Okta
Feature availability
Section titled “Feature availability”| Feature | Support |
|---|---|
| OAuth2/OIDC clients | ✅ Full |
| SAML clients | ✅ Full |
| Resource servers | ❌ Not supported |
| Client cloning | ✅ Full |
-
Create an API token
In the Okta Admin Console, go to Security → API → Tokens → Create Token. Give it a name (e.g.
Taco) and copy the token value immediately — it is only shown once. -
Set environment variables
Terminal window OPENID_PROVIDER=oktaOKTA_DOMAIN=your-org.okta.comOKTA_API_TOKEN=your-api-token
Client management notes
Section titled “Client management notes”- OAuth2/OIDC clients are created as Okta app integrations with
signOnMode: OPENID_CONNECT(app typeoidc_client). The Okta-assigned app ID doubles as the OAuth2client_id. - SAML clients are created as custom SAML app integrations (
template_saml_2_0) with sensible defaults (RSA_SHA256signing, unspecifiedNameIDformat). Adjust attribute statements and signing certificates directly in the Okta Admin Console if you need finer control. - Apps are activated automatically on creation. Deleting a client first deactivates, then deletes, the underlying Okta app — matching Okta’s lifecycle requirements.
- Resource servers are not modeled by Taco for this provider — manage Okta Authorization Servers and scopes directly in the Okta Admin Console.
OIDC login (optional)
Section titled “OIDC login (optional)”To protect the Taco dashboard with Okta SSO, register a separate OIDC web app integration (authorization code flow):
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://your-org.okta.comAUTH_CLIENT_ID=your-oidc-app-client-idAUTH_CLIENT_SECRET=your-oidc-app-client-secretAdd <BASE_URL>/api/auth/callback/oidc to the application’s Sign-in redirect URIs.