Back to Documentation

Okta OAuth Setup Guide

Setting Up Okta OAuth for Your App

This guide will walk you through the process of setting up Okta OAuth 2.0 authentication for Eva integration.

Prerequisites

  • An Okta account (developer or enterprise)
  • Admin access to your Okta organization
  • Your application's domain (e.g., https://eva.foxio.io)

Step 1: Access Your Domain

  1. Log in to your Okta Admin Dashboard:

    • For developer accounts: https://dev-XXXXXX-admin.okta.com
    • For enterprise accounts: https://yourcompany-admin.okta.com

  2. Note your Okta domain:

    • Find your domain in the top-right corner or in the URL
    • It will look like: https://dev-123456.okta.com or https://yourcompany.okta.com
    • Save this domain - you'll need it for configuration

Step 2: Create an App Integration

  1. Navigate to Applications:

    • In the Admin Console, go to Applications > Applications
    • Click Create App Integration

  2. Select Sign-in Method:

    • Choose OIDC - OpenID Connect
    • Select Web Application as the Application type
    • Click Next

  3. Configure App Integration Settings:

    General Settings:

    • App integration name: Enter a descriptive name (e.g., "Eva OAuth Integration")
    • Logo: Upload your app logo (optional)

    Grant type:

    • Authorization Code (required)
    • Refresh Token (recommended)
    • Implicit

    Sign-in redirect URIs:

    • Add: https://eva.foxio.io/api/callback
    • Add any additional callback URLs for different environments

    Sign-out redirect URIs: (optional)

    • Add your logout redirect URL if needed

    Controlled access:

    • Select who can access this application:
      • Allow everyone in your organization to access (recommended for internal apps)
      • Limit access to selected groups (for restricted access)

  4. Save the Application

Step 3: Access Your Client ID and Client Secret

  1. After creating the app, you'll be redirected to the application's page

  2. In the Client Credentials section, you'll find:

    • Client ID: Copy this value
    • Client secret: Copy this value (keep it secure!)

  3. Important Security Notes:

    • Never expose your Client Secret in client-side code
    • Store it in environment variables or secure secret management
    • Rotate the secret periodically for security

Step 4: Configure OAuth Settings

  1. Go to the Sign On tab of your application

  2. OpenID Connect ID Token settings:

    • Set appropriate token lifetimes
    • Configure refresh token behavior:
      • Rotate token after every use (more secure)
      • Or set a specific lifetime

  3. User consent:

    • configure the consent screen

Step 5: Add Users to Your Application

  1. Navigate to the Assignments tab

  2. Assign users or groups:

    • Click Assign > Assign to People or Assign to Groups
    • Search for and select users/groups
    • Click Assign and Save and Go Back

  3. For testing:

    • Assign yourself or a test account first
    • Verify the assignment is active

Step 6: Configure Authentication Policies

  1. Access Authentication Policies:

    • Go to Security > Authentication Policies
    • Or in your app, go to the Sign On tab > View policy details

  2. Configure session lifetime:

    • Set how long users stay logged in
    • Configure idle session timeout

  3. Set up Multi-Factor Authentication (MFA):

    • In the authentication policy, add a rule
    • Configure when to prompt for MFA:
      • Every sign-in
      • Once per session
      • Based on network location
      • Based on user group

  4. Password requirements:

    • Set password complexity rules
    • Configure password expiration if needed

Step 7: API Access Management

  1. Default Authorization Server:

    • Navigate to Security > API > Authorization Servers
    • Click on default authorization server

  2. Verify Scopes:

    • Ensure these scopes are available:
      • openid - OpenID Connect authentication
      • profile - User profile information
      • email - User email address

  3. Access Policies:

    • Review the default policy
    • Ensure your application is included

Step 8: Understanding Okta OAuth Endpoints

Your Okta OAuth 2.0 endpoints will be:

  • Authorization endpoint:
    https://YOUR_DOMAIN/oauth2/default/v1/authorize

  • Token endpoint:
    https://YOUR_DOMAIN/oauth2/default/v1/token

  • JWKS endpoint:
    https://YOUR_DOMAIN/oauth2/default/v1/keys

  • Userinfo endpoint:
    https://YOUR_DOMAIN/oauth2/default/v1/userinfo

Replace YOUR_DOMAIN with your Okta domain (e.g., dev-123456.okta.com).

Step 9: Testing Your Configuration

  1. Test the OAuth Flow:

    • Use Okta's built-in test feature:
      • In your app's General tab, click Preview the sign-in page
    • Or test from your Eva application

  2. Verify the authentication flow:

    • User is redirected to Okta login
    • After authentication, redirected back to your callback URL
    • Your app receives an authorization code
    • Exchange the code for tokens

  3. Check token contents:

    • Use jwt.io to decode tokens (for testing only)
    • Verify claims include email and profile information

Step 10: Best Practices and Security

  1. Production Readiness:

    • Use a custom domain for better branding
    • Enable HTTPS for all endpoints
    • Implement proper error handling

  2. Monitoring:

    • Review Okta system logs regularly
    • Set up alerts for suspicious activities
    • Monitor failed login attempts

  3. Compliance:

    • Configure session policies per your security requirements
    • Implement appropriate MFA policies
    • Regular security audits

Troubleshooting

Common Issues:

  1. "Invalid redirect_uri" error:

    • Ensure the redirect URI exactly matches configuration
    • Check for trailing slashes and protocol (http/https)

  2. "Invalid client" error:

    • Verify Client ID and Secret are correct
    • Check if the app is active and not deactivated

  3. "Access denied" error:

    • Verify user is assigned to the application
    • Check group assignments if using group-based access

  4. Missing user information:

    • Confirm the correct scopes are requested (openid profile email)
    • Check user profile has required attributes

  5. Token expiration issues:

    • Review token lifetime settings
    • Implement proper refresh token handling

Configuration Summary

Use these values to configure Eva app:

  • Domain: Your Okta domain (e.g., https://dev-123456.okta.com)
  • Client ID: From your app's Client Credentials
  • Client Secret: From your app's Client Credentials (keep secure!)

For more detailed information, refer to:

Next Steps

After completing this setup guide, you're ready to configure Eva with your Okta credentials.

Install Eva for SlackView All Guides