Okta Oauth2 Implementation

[stephenkiers]

Ticket ENG-1954 ENG-1953 ENG-1954 ENG-1955 ENG-1956 ENG-1952 ENG-2107

Description Of Changes

This PR replaces Okta’s legacy API token authentication with OAuth2 Client Credentials using private_key_jwt. It updates backend models, admin UI forms, documentation, and introduces a full migration path. This is a breaking change requiring all existing Okta integrations to update their configuration.

Add systems wizard

Settings/Integrations Management

Action Center

Code Changes

• Implement OAuth2 Client Credentials flow for Okta with private_key_jwt.
• Add secure private key–based auth to Okta HTTP client.
• Update OktaConfig model: require clientId, privateKey, optional scopes; remove token.
• Replace legacy API-token form fields in the admin UI with new OAuth2 fields (clientId, privateKey, scopes).
• Add multiline field support for long-form inputs like private keys.
• Validate privateKey as JWK JSON; normalize scopes to an array.
• Add a full Okta key management guide (docs/guides/okta_key_management.md).
• Update migration guide and integration documentation.
• Add changelog entries, including high-risk notice.

Steps to Confirm

1. Create a new Okta OAuth2 app configured for private_key_jwt.
2. Generate and upload a JWK private key; configure clientId and scopes.
3. Save a new Okta connector in the admin UI using the updated form.
4. Validate that OAuth2 token acquisition succeeds.
5. Confirm that existing connectors using API tokens fail as expected (breaking change).
6. Review updated documentation and migration notes.

Pre-Merge Checklist

• All CI Pipelines Succeeded
• New features have been verified on Demo Environment using nox -s demo -- dev
• Documentation:
  • documentation complete, PR opened in fidesdocs
  • documentation issue created in fidesdocs
  • if there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
• Issue Requirements are Met
• Optional: Follow-Up Issues Created
• Update CHANGELOG.md
  • Add a https://github.com/ethyca/fidesplus/labels/high-risk label to the entry if your change includes a high-risk change

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
fides-plus-nightly	Ignored	Preview		Nov 27, 2025 11:02pm
fides-privacy-center	Ignored			Nov 27, 2025 11:02pm

[stephenkiers]

this was missed. perhaps a lint rule is needed

[codecov]

Codecov Report

❌ Patch coverage is 70.22901% with 78 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.96%. Comparing base (7a391d0) to head (0088b32).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...onnection_configuration/connection_secrets_okta.py	40.42%	28 Missing ⚠️
src/fides/connectors/okta.py	20.00%	28 Missing ⚠️
src/fides/api/service/connectors/okta_connector.py	27.77%	13 Missing ⚠️
src/fides/core/system.py	25.00%	3 Missing ⚠️
src/fides/api/api/v1/endpoints/generate.py	33.33%	2 Missing ⚠️
...c/fides/api/service/connectors/okta_http_client.py	98.54%	1 Missing and 1 partial ⚠️
src/fides/api/api/v1/endpoints/validate.py	0.00%	1 Missing ⚠️
src/fides/cli/utils.py	66.66%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7044      +/-   ##
==========================================
- Coverage   87.01%   86.96%   -0.06%     
==========================================
  Files         528      529       +1     
  Lines       34674    34861     +187     
  Branches     4008     4039      +31     
==========================================
+ Hits        30172    30317     +145     
- Misses       3628     3669      +41     
- Partials      874      875       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[johnewart]

Just a few minor questions - though I wouldn't classify any of them as blockers

[stephenkiers]

Is there a util for this already?

[greptile-apps]

Greptile Overview

Greptile Summary

Replaces Okta's legacy API token authentication with OAuth2 Client Credentials using private_key_jwt and DPoP. This is a breaking change requiring all existing Okta integrations to reconfigure with OAuth2 credentials.

Major Changes:

• Implements custom OktaHttpClient with OAuth2 authentication, token caching (10-min expiry buffer), retry logic, and rate limiting
• Updates backend schemas to require clientId, privateKey (JWK), and optional scopes
• Removes async Okta SDK dependency, replacing with synchronous HTTP client using requests-oauth2client
• Updates admin UI forms with OAuth2 fields including multiline JWK input and scope configuration
• Adds comprehensive validation for Okta domains (standard and custom) and JWK format
• Includes 764 lines of new test coverage for OAuth2 client functionality

Issues Found:

• Critical: Rate limiter key implementation doesn't match test expectations (line 301)
• Style: Imports placed inside function instead of at module level (line 93-94)

Confidence Score: 3/5

• Breaking change with solid implementation but has critical test mismatch that needs resolution before merge
• Score reflects well-structured OAuth2 implementation with comprehensive tests and security best practices (DPoP, token caching, JWK validation), but the rate limiter key mismatch between implementation and tests indicates incomplete testing and could cause runtime issues if tests aren't catching the real behavior
• src/fides/api/service/connectors/okta_http_client.py requires fixing the rate limiter key to match test expectations or updating tests to match implementation

Important Files Changed

File Analysis

Filename	Score	Overview
src/fides/api/service/connectors/okta_http_client.py	2/5	New OAuth2 client with token caching, retries, and rate limiting; has critical bug in rate limiter key and imports placed mid-function
tests/ops/service/connectors/test_okta_http_client.py	3/5	Comprehensive test coverage for OAuth2 client including token caching, retries, rate limiting; test expectations don't match implementation
src/fides/api/schemas/connection_configuration/connection_secrets_okta.py	4/5	Updated schema for OAuth2 credentials with JWK validation and Okta domain validation including custom domains
src/fides/connectors/okta.py	4/5	Replaced async Okta SDK with synchronous OAuth2 client; removed async/await patterns throughout

[greptile-apps]

_{35 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}