ethyca · stephenkiers · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025
diff --git a/.github/workflows/backend_checks.yml b/.github/workflows/backend_checks.yml
@@ -397,7 +397,8 @@ jobs:
           DYNAMODB_ACCESS_KEY_ID: op://github-actions/dynamodb/DYNAMODB_ACCESS_KEY_ID
           DYNAMODB_ACCESS_KEY: op://github-actions/dynamodb/DYNAMODB_ACCESS_KEY
           DYNAMODB_REGION: op://github-actions/dynamodb/DYNAMODB_REGION
-          OKTA_CLIENT_TOKEN: op://github-actions/ctl/OKTA_CLIENT_TOKEN
+          OKTA_CLIENT_ID: op://github-actions/okta/OKTA_CLIENT_ID
+          OKTA_PRIVATE_KEY: op://github-actions/okta/OKTA_PRIVATE_KEY
           REDSHIFT_FIDESCTL_PASSWORD: op://github-actions/ctl/REDSHIFT_FIDESCTL_PASSWORD
           SNOWFLAKE_FIDESCTL_PASSWORD: op://github-actions/ctl/SNOWFLAKE_FIDESCTL_PASSWORD
 
@@ -469,8 +470,9 @@ jobs:
           GOOGLE_CLOUD_SQL_POSTGRES_DB_IAM_USER: op://github-actions/gcp-postgres/GOOGLE_CLOUD_SQL_POSTGRES_DB_IAM_USER
           GOOGLE_CLOUD_SQL_POSTGRES_INSTANCE_CONNECTION_NAME: op://github-actions/gcp-postgres/GOOGLE_CLOUD_SQL_POSTGRES_INSTANCE_CONNECTION_NAME
           GOOGLE_CLOUD_SQL_POSTGRES_KEYFILE_CREDS: op://github-actions/gcp-postgres/GOOGLE_CLOUD_SQL_POSTGRES_KEYFILE_CREDS
-          OKTA_API_TOKEN: op://github-actions/okta/OKTA_API_TOKEN
+          OKTA_CLIENT_ID: op://github-actions/okta/OKTA_CLIENT_ID
           OKTA_ORG_URL: op://github-actions/okta/OKTA_ORG_URL
+          OKTA_PRIVATE_KEY: op://github-actions/okta/OKTA_PRIVATE_KEY
           RDS_MYSQL_AWS_ACCESS_KEY_ID: op://github-actions/rds-mysql/RDS_MYSQL_AWS_ACCESS_KEY_ID
           RDS_MYSQL_AWS_SECRET_ACCESS_KEY: op://github-actions/rds-mysql/RDS_MYSQL_AWS_SECRET_ACCESS_KEY
           RDS_MYSQL_DB_INSTANCE: op://github-actions/rds-mysql/RDS_MYSQL_DB_INSTANCE

@@ -107,8 +107,12 @@ describe("Config Wizard", () => {
       cy.getByTestId("okta-btn").click();
       // Fill form
       cy.getByTestId("authenticate-okta-form");
-      cy.getByTestId("input-orgUrl").type("https://ethyca.com/");
-      cy.getByTestId("input-token").type("fakeToken");
+      cy.getByTestId("input-orgUrl").type("https://dev-12345.okta.com");
+      cy.getByTestId("input-clientId").type("0oa1abc2def3ghi4jkl5");
+      cy.getByTestId("input-privateKey").type(
+        '{"kty":"RSA","kid":"test","n":"test","e":"AQAB","d":"test"}',
+        { parseSpecialCharSequences: false },
+      );
     });
 
     it("Allows submitting the form and reviewing the results", () => {

@@ -7,7 +7,7 @@ import {
 } from "~/features/connection-type/types";
 
 import { ControlledSelect } from "./ControlledSelect";
-import { CustomTextInput } from "./inputs";
+import { CustomTextArea, CustomTextInput } from "./inputs";
 
 export type FormFieldProps = {
   name: string;
@@ -91,6 +91,23 @@ export const FormFieldFromSchema = ({
           );
         }
 
+        if (fieldSchema.multiline) {
+          return (
+            <CustomTextArea
+              {...field}
+              label={fieldSchema.title}
+              tooltip={fieldSchema.description}
+              isRequired={isRequired}
+              placeholder={getPlaceholder()}
+              variant={layout}
+              textAreaProps={{
+                rows: 8,
+                style: { fontFamily: "monospace", fontSize: "12px" },
+              }}
+            />
+          );
+        }
+
         return (
           <CustomTextInput
             {...field}

@@ -4,13 +4,14 @@ import { useState } from "react";
 import * as Yup from "yup";
 
 import { useAppDispatch, useAppSelector } from "~/app/hooks";
-import { CustomTextInput } from "~/features/common/form/inputs";
+import { CustomTextArea, CustomTextInput } from "~/features/common/form/inputs";
 import {
   isErrorResult,
   ParsedError,
   parseError,
 } from "~/features/common/helpers";
 import { useAlert } from "~/features/common/hooks";
+import { OKTA_AUTH_DESCRIPTION } from "~/features/integrations/integration-type-info/oktaInfo";
 import {
   GenerateResponse,
   GenerateTypes,
@@ -30,20 +31,71 @@ import { useGenerateMutation } from "./scanner.slice";
 import ScannerError from "./ScannerError";
 import ScannerLoading from "./ScannerLoading";
 
+const PRIVATE_KEY_TOOLTIP =
+  "Private key in JWK (JSON) format. Generate a key in Okta and download the JSON.";
+
+const DEFAULT_SCOPES = ["okta.apps.read"];
+
+const parseScopesFromCsv = (scopes: string | undefined): string[] =>
+  scopes
+    ? scopes
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean)
+    : DEFAULT_SCOPES;
+
 const initialValues = {
   orgUrl: "",
-  token: "",
+  clientId: "",
+  privateKey: "",
+  scopes: "okta.apps.read",
 };
 
 type FormValues = typeof initialValues;
 
 const ValidationSchema = Yup.object().shape({
-  orgUrl: Yup.string().required().trim().url().label("URL"),
-  token: Yup.string()
+  orgUrl: Yup.string().required().trim().url().label("Organization URL"),
+  clientId: Yup.string()
     .required()
     .trim()
     .matches(/^[^\s]+$/, "Cannot contain spaces")
-    .label("Token"),
+    .label("Client ID"),
+  privateKey: Yup.string()
+    .required()
+    .trim()
+    .test(
+      "is-valid-json",
+      "Private key must be valid JSON. Paste the JWK downloaded from Okta.",
+      (value) => {
+        if (!value) {
+          return true;
+        }
+        try {
+          JSON.parse(value);
+          return true;
+        } catch {
+          return false;
+        }
+      },
+    )
+    .label("Private Key"),
+  scopes: Yup.string()
+    .required()
+    .trim()
+    .label("Scopes")
+    .default("okta.apps.read")
+    .test(
+      "valid-scopes",
+      "Scopes must be a single scope or comma-separated list (e.g., 'okta.apps.read' or 'okta.apps.read, okta.users.read')",
+      (value) => {
+        if (!value) {
+          return true;
+        }
+        // Split on comma and check each scope is non-empty and has no internal whitespace
+        const scopes = value.split(",").map((s) => s.trim());
+        return scopes.every((scope) => scope.length > 0 && !/\s/.test(scope));
+      },
+    ),
 });
 
 const AuthenticateOktaForm = () => {
@@ -79,10 +131,15 @@ const AuthenticateOktaForm = () => {
   const handleSubmit = async (values: FormValues) => {
     setScannerError(undefined);
 
+    const config = {
+      ...values,
+      scopes: parseScopesFromCsv(values.scopes),
+    };
+
     const result = await generate({
       organization_key: organizationKey,
       generate: {
-        config: values,
+        config,
         target: ValidTargets.OKTA,
         type: GenerateTypes.SYSTEMS,
       },
@@ -129,23 +186,36 @@ const AuthenticateOktaForm = () => {
                       { title: "Authenticate Okta Scanner" },
                     ]}
                   />
-                  <Text>
-                    To use the scanner to inventory systems in Okta, you must
-                    first authenticate to your Okta account by providing the
-                    following information:
-                  </Text>
+                  <Text>{OKTA_AUTH_DESCRIPTION}</Text>
                 </Box>
                 <Stack>
                   <CustomTextInput
                     name="orgUrl"
-                    label="Domain"
-                    tooltip="The URL for your organization's account on Okta"
+                    label="Organization URL"
+                    tooltip="The URL for your organization's Okta account (e.g. https://your-org.okta.com)"
+                    placeholder="https://your-org.okta.com"
+                  />
+                  <CustomTextInput
+                    name="clientId"
+                    label="Client ID"
+                    tooltip="The OAuth2 client ID from your Okta API Services application"
+                    placeholder="0oa1abc2def3ghi4jkl5"
+                  />
+                  <CustomTextArea
+                    name="privateKey"
+                    label="Private key"
+                    tooltip={PRIVATE_KEY_TOOLTIP}
+                    placeholder='{"kty":"RSA","kid":"...","n":"...","e":"AQAB","d":"..."}'
+                    textAreaProps={{
+                      rows: 8,
+                      style: { fontFamily: "monospace", fontSize: "12px" },
+                    }}
                   />
                   <CustomTextInput
-                    name="token"
-                    label="Okta token"
-                    type="password"
-                    tooltip="The token generated by Okta for your account."
+                    name="scopes"
+                    label="Scopes"
+                    tooltip="OAuth2 scopes to request. Default is okta.apps.read for application discovery"
+                    placeholder="okta.apps.read"
                   />
                 </Stack>
               </>

@@ -24,6 +24,7 @@ export type ConnectionTypeSecretSchemaProperty = {
   items?: { $ref: string };
   sensitive?: boolean;
   multiselect?: boolean;
+  multiline?: boolean;
   options?: string[];
 };
 

@@ -66,12 +66,12 @@ const ConfigureMonitorModal = ({
     { isLoading: isSubmittingOktaUpdate },
   ] = usePutIdentityProviderMonitorMutation();
 
-  let isSubmitting: boolean;
-  if (isOktaIntegration) {
-    isSubmitting = isEditing ? isSubmittingOktaUpdate : isSubmittingOktaCreate;
-  } else {
-    isSubmitting = isSubmittingRegular;
-  }
+  const isSubmittingOkta = isEditing
+    ? isSubmittingOktaUpdate
+    : isSubmittingOktaCreate;
+  const isSubmitting = isOktaIntegration
+    ? isSubmittingOkta
+    : isSubmittingRegular;
 
   const { data: databases } = useGetAvailableDatabasesByConnectionQuery({
     page: 1,

@@ -66,18 +66,10 @@ const MonitorConfigActionsCell = ({
   };
 
   const handleExecute = async () => {
-    // Use Identity Provider Monitor endpoint for Okta, otherwise use regular endpoint
-    if (isOktaMonitor) {
-      const result = await executeOktaMonitor({
-        monitor_config_key: monitorId,
-      });
-      toastExecuteResult(result);
-    } else {
-      const result = await executeRegularMonitor({
-        monitor_config_id: monitorId,
-      });
-      toastExecuteResult(result);
-    }
+    const result = isOktaMonitor
+      ? await executeOktaMonitor({ monitor_config_key: monitorId })
+      : await executeRegularMonitor({ monitor_config_id: monitorId });
+    toastExecuteResult(result);
   };
 
   return (

@@ -256,7 +256,7 @@ export const useMonitorConfigTable = ({
       statusColumn,
       actionsColumn,
     ];
-  }, [integration.secrets, isWebsiteMonitor, onEditMonitor]);
+  }, [integration.secrets, isWebsiteMonitor, isOktaIntegration, onEditMonitor]);
 
   return {
     // Table state and data

@@ -21,14 +21,15 @@ export const OKTA_DESCRIPTION = (
   </>
 );
 
+export const OKTA_AUTH_DESCRIPTION =
+  "Okta integration uses OAuth2 Client Credentials with private_key_jwt for secure authentication. You will need to generate an RSA key in Okta and copy the JSON key to use in Fides.";
+
 const OktaIntegrationOverview = () => (
   <>
     <InfoHeading text="Overview" />
+    <InfoText>{OKTA_DESCRIPTION}</InfoText>
     <InfoText>
-      SSO providers manage user authentication and can help identify systems
-      within your infrastructure. Adding an SSO provider as a data source allows
-      you to detect connected systems, monitor access patterns, and enhance your
-      data map for better visibility and control.
+      <strong>Authentication:</strong> {OKTA_AUTH_DESCRIPTION}
     </InfoText>
   </>
 );

@@ -3,9 +3,11 @@
 /* eslint-disable */
 
 /**
- * The model for the connection config for Okta
+ * The model for the connection config for Okta (OAuth2)
  */
 export type OktaConfig = {
   orgUrl: string;
-  token: string;
+  clientId: string;
+  privateKey: string;
+  scopes?: Array<string>;
 };
diff --git a/docs/fides/docs/config/index.md b/docs/fides/docs/config/index.md
@@ -87,7 +87,7 @@ task_always_eager = true
 
 ### Credentials
 
-The credentials section uses custom keys which can be referenced in specific commands that take the --credentials-id option. For example, a command that uses a credential might look like `fides scan dataset db --credentials-id app_postgres`. The credential object itself will be validated at the time of use depending on what type of credential is required. For instance if `fides scan system okta` is used, it will expect the object to contain orgUrl and token key/value pairs. In the case of a typical database like postgres, it will only expect a connection_string. The following is an example of what a credentials section might look like in a given deployment with various applications:
+The credentials section uses custom keys which can be referenced in specific commands that take the --credentials-id option. For example, a command that uses a credential might look like `fides scan dataset db --credentials-id app_postgres`. The credential object itself will be validated at the time of use depending on what type of credential is required. For instance if `fides scan system okta` is used, it will expect the object to contain orgUrl, clientId, and privateKey key/value pairs for OAuth2 authentication. In the case of a typical database like postgres, it will only expect a connection_string. The following is an example of what a credentials section might look like in a given deployment with various applications:
 
 ```toml title="Example Credentials Section"
 [credentials]

diff --git a/noxfiles/run_infrastructure.py b/noxfiles/run_infrastructure.py
@@ -75,7 +75,8 @@
     ],
     "okta": [
         "OKTA_ORG_URL",
-        "OKTA_API_TOKEN",
+        "OKTA_CLIENT_ID",
+        "OKTA_PRIVATE_KEY",
     ],
 }
 EXTERNAL_DATASTORES = list(EXTERNAL_DATASTORE_CONFIG.keys())

diff --git a/noxfiles/setup_tests_nox.py b/noxfiles/setup_tests_nox.py
@@ -73,7 +73,9 @@ def pytest_ctl(session: Session, mark: str, coverage_arg: str) -> None:
             "-e",
             "AWS_DEFAULT_REGION",
             "-e",
-            "OKTA_CLIENT_TOKEN",
+            "OKTA_CLIENT_ID",
+            "-e",
+            "OKTA_PRIVATE_KEY",
             "-e",
             "BIGQUERY_CONFIG",
             "-e",
@@ -223,7 +225,9 @@ def pytest_ops(
             "-e",
             "OKTA_ORG_URL",
             "-e",
-            "OKTA_API_TOKEN",
+            "OKTA_CLIENT_ID",
+            "-e",
+            "OKTA_PRIVATE_KEY",
             "-e",
             "RDS_MYSQL_AWS_ACCESS_KEY_ID",
             "-e",

diff --git a/requirements.txt b/requirements.txt
@@ -37,7 +37,6 @@ pg8000==1.31.2
 nh3==0.2.15
 numpy==1.24.4
 oauthlib==3.3.1
-okta==2.7.0
 openpyxl==3.0.9
 networkx==3.1
 packaging==23.0
@@ -57,6 +56,7 @@ python-jose[cryptography]==3.3.0
 pyyaml==6.0.1
 pyahocorasick==2.1.0
 redis==3.5.3
+requests-oauth2client>=1.5.0
 requests-oauthlib==2.0.0
 rich-click==1.6.1
 sendgrid==6.9.7