Skip to main content
This document provides comprehensive information about the Okta integration in Keep.

Overview

Keep supports Okta as an authentication provider, enabling:
  • Single Sign-On (SSO) via Okta
  • OAuth2/OIDC authentication flow
  • JWT token verification with JWKS
  • Role-based access control through token claims

Environment Variables

Backend Environment Variables

VariableDescriptionRequired
AUTH_TYPESet to "OKTA" to enable Okta authenticationYes
OKTA_DOMAINYour Okta domain (e.g., https://company.okta.com)Yes
OKTA_ISSUERThe issuer URL for your Okta authorization server (e.g., https://company.okta.com/oauth2/default)Yes
OKTA_CLIENT_IDClient ID of your Okta applicationYes
OKTA_CLIENT_SECRETClient Secret of your Okta applicationYes
OKTA_AUDIENCEExpected audience claim in the token. Falls back to OKTA_CLIENT_ID if not setNo
OKTA_JWKS_URLExplicit JWKS URL. If not set, derived from OKTA_ISSUERNo
OKTA_API_TOKENOkta API token for management operationsNo

Frontend Environment Variables

VariableDescriptionExample
AUTH_TYPESet to "OKTA" to enable Okta authenticationOKTA
OKTA_ISSUERThe issuer URL for your Okta authorization serverhttps://company.okta.com/oauth2/default
OKTA_CLIENT_IDClient ID of your Okta application0oa1bcdef2ghijklm3n4
OKTA_CLIENT_SECRETClient Secret of your Okta applicationabcd1234efgh5678

Okta Configuration

Creating an Okta Application

  1. Sign in to your Okta Admin Console
  2. Navigate to Applications > Applications
  3. Click Create App Integration
  4. Select OIDC - OpenID Connect as the sign-in method
  5. Select Web Application as the application type
  6. Click Next

Application Settings

  1. App integration name: Enter a name for your application (e.g., “Keep”)
  2. Sign-in redirect URIs: Add your callback URL: https://your-keep-domain.com/api/auth/callback/okta
  3. Sign-out redirect URIs: Add your sign-out URL: https://your-keep-domain.com
  4. Assignments: Assign the application to the appropriate users or groups
  5. Click Save
  6. Copy the Client ID and Client Secret from the application settings

Role Mapping

Keep extracts the user role from the JWT token. The role is determined in the following order:
  1. keep_role claim in the token
  2. role claim in the token
  3. First entry in the groups claim
  4. Falls back to user role
To configure role mapping, add a custom claim to your Okta authorization server:
  1. Navigate to Security > API > Authorization Servers
  2. Select your authorization server (e.g., default)
  3. Go to the Claims tab
  4. Add a claim named keep_role or groups that maps to the user’s Keep role