Setting up OIDC

July 8, 2025 ยท View on GitHub

You can use the Okta Developer Program to test OAuth flow.

  1. Create a Okta Developer Account by either:
  • manually creating your new account using any email address and password values, or
  • selecting the appropriate 'Continue with Google/GitHub/Microsoft' option and specifying your existing account on that system for Okta to validate your login
  1. Create a new App in the Okta UI.
    • Select OIDC - OpenID Connect.
    • Select Web Application.
  2. In grant type, select Client Credentials.
  3. Select Allow Everyone to Access.
  4. Deselect Federation Broker Mode.
  5. Select OK and generate a client secret.
  6. In the Okta settings, go to the API settings for your default authenticator.
  7. Select Audience to be your client ID.

Config requirements

Setting up OIDC for Armada requires two separate configs (one for the Armada server, one for the client's)

Add the following to your Armada server config:

 auth:
    anonymousAuth: false
    openIdAuth:
      providerUrl: "https://OKTA_DEV_USERNAME.okta.com/oauth2/default"
      groupsClaim: "groups"
      clientId: "CLIENT_ID_FROM_UI"
      scopes: []

For client credentials, use the following config for the executor and other clients.

  openIdClientCredentialsAuth:
      providerUrl: "https://OKTA_DEV_USERNAME.okta.com/oauth2/default"
    clientId: "CLIENT_ID_FROM_UI"
    clientSecret: "CLIENT_SECRET"
    scopes: []

If you want to interact with Armada, you have to use one of our client APIs. The armadactl is not setup to work with OIDC at this time.