Okta can be setup as an OIDC provider for UAA login. In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the external OIDC provider with a public client.
-
Create an OIDC application and set it with PKCE public. Register the "Redirect URIs" in the application section "OpenID Connect Configuration"
Add following URI in list field:
http://{UAA_HOST}/login/callback/{origin}
. Additional documentation for achieving this can be found here. -
Copy client id.
-
Minimal OIDC configuration needs to be added in login.ym. Read configuration refer to 'https://.okta.com/.well-known/openid-configuration' for discoveryUrl and issuer
login: oauth: providers: okta.public: type: oidc1.0 discoveryUrl: https://trailaccount.okta.com/.well-known/openid-configuration issuer: https://trailaccount.okta.com scopes: - openid linkText: Login with Okta-Public showLinkText: true relyingPartyId: 0iak4aiaC4HV39L6g123
-
Ensure that the scope
openid
is included in thescopes
property. -
Restart UAA. You will see
Login with Okta-Public
link on your login page.