Okta OIDC Configuration Guide
March 27, 2026 · View on GitHub
Warning
This guide is in draft mode. Any feedback is appreciated!
This guide provides step-by-step instructions for configuring Okta as the OIDC identity provider for the ATT&CK Workbench REST API.
Prerequisites
- Okta account (free Developer account or enterprise)
- Administrator access to Okta Admin Console
- ATT&CK Workbench REST API installed
Overview
This guide focuses on configuring Okta as your OIDC provider. After completing Okta setup:
- Proceed to REST API Configuration to configure the Workbench REST API
- Then follow Testing & Verification to confirm everything works
This guide covers only the Okta-specific configuration steps.
Step 1: Create OIDC Application in Okta
-
Log into Okta Admin Console:
- Navigate to your Okta domain (e.g.,
https://dev-12345.okta.com/admin) - Sign in as an administrator
- Navigate to your Okta domain (e.g.,
-
Navigate to Applications:
- In the Admin Console, go to Applications → Applications
- Click Create App Integration
-
Select Sign-in Method:
- Sign-in method:
OIDC - OpenID Connect - Application type:
Web Application - Click Next
- Sign-in method:
-
Configure General Settings:
- App integration name:
ATT&CK Workbench REST API - Logo (optional): Upload a logo if desired
- Click Next or continue to Grant type
- App integration name:
Step 2: Configure Application Settings
-
Grant Type:
- ✓ Authorization Code (required)
- ✗ Refresh Token (optional, not required)
- ✗ Implicit (not recommended)
-
Sign-in redirect URIs: Add your callback URL(s):
-
For single environment:
https://workbench.example.com/api/authn/oidc/callback -
For multiple environments, add each separately:
http://localhost:3000/api/authn/oidc/callback https://workbench.example.com/api/authn/oidc/callback
-
-
Sign-out redirect URIs (optional):
-
Add your application's base URLs:
http://localhost:3000 https://workbench.example.com
-
-
Controlled access (Assignments):
- Allow everyone in your organization to access: For initial setup/testing
- Limit access to selected groups: For production (recommended)
- Select the appropriate option for your needs
-
Click Save
Step 3: Get Client Credentials
After saving, you'll be taken to the application details page:
-
Note the following values:
- Client ID: Found under "Client Credentials"
- Client Secret: Click to reveal and copy
- Okta domain: Your Okta domain (e.g.,
dev-12345.okta.com)
-
Determine your Issuer URL:
- For Okta Developer accounts:
https://<your-okta-domain>/oauth2/default - For custom authorization servers:
https://<your-okta-domain>/oauth2/<authServerId> - For org authorization server:
https://<your-okta-domain>
To find your issuer URL:
- Go to Security → API in the Okta Admin Console
- Find your authorization server (typically "default" for developer accounts)
- Copy the Issuer URI
- For Okta Developer accounts:
Step 4: Configure OpenID Connect Scopes
-
Navigate to your Authorization Server:
- Go to Security → API
- Click on your authorization server (e.g., "default")
-
Verify Scopes:
- Go to the Scopes tab
- Ensure these scopes exist and are enabled:
openid(required)email(required)profile(required)
-
Configure Claims (verify defaults):
- Go to the Claims tab
- Verify these claims are configured for ID Token:
sub(subject - default)email(from user.email)preferred_username(from user.login or user.email)name(from user.displayName or concatenated firstName/lastName)
If missing, add them:
- Click Add Claim
- Name:
email - Include in token type:
ID Token,Always - Value type:
Expression - Value:
user.email - Save
Step 5: Create or Assign Users
Option A: Create New Users
-
Navigate to Users:
- Go to Directory → People
- Click Add Person
-
Fill in User Details:
- First name:
Admin - Last name:
User - Username:
admin@example.com - Primary email:
admin@example.com - Password: Choose how to set:
- Set by admin
- Set by user (email activation)
- Click Save
- First name:
-
Assign to Application:
- On the user's profile, go to Applications tab
- Click Assign Applications
- Find "ATT&CK Workbench REST API"
- Click Assign → Save and Go Back
Option B: Assign Existing Users
- From the Application:
- Go to Applications → Applications
- Click on "ATT&CK Workbench REST API"
- Go to Assignments tab
- Click Assign → Assign to People or Assign to Groups
- Select users/groups and click Assign
Next Steps
You've completed the Okta configuration. Now proceed with:
-
Configure the REST API - Set up the Workbench REST API to use Okta
You'll need these values from the steps above:
- Issuer URL: From Step 3 (e.g.,
https://dev-12345.okta.com/oauth2/default) - Client ID: From Step 3
- Client Secret: From Step 3
- Issuer URL: From Step 3 (e.g.,
-
Test & Verify - Confirm authentication is working correctly
Troubleshooting
Okta Issuer URL Format
Issue: Discovery fails with Okta.
Solution: Verify the issuer URL format is correct for your Okta setup:
- With authorization server:
https://<domain>/oauth2/<authServerId> - Default auth server:
https://<domain>/oauth2/default - Org auth server:
https://<domain>
Test the discovery endpoint manually:
curl https://dev-12345.okta.com/oauth2/default/.well-known/openid-configuration
Okta User Assignment
Issue: Error "User is not assigned to the client application" during authentication.
Solution: Okta requires explicit user/group assignment to applications:
- Go to your application in Okta Admin Console
- Go to Assignments tab
- Assign the user or their group to the application
Okta Claims Configuration
Issue: Missing user information after authentication.
Solution: Ensure claims are properly configured in Okta:
- Go to Security → API → your authorization server → Claims tab
- Verify claims for
email,preferred_username, andnameexist - Ensure claims are configured to be included in ID Token (not just Access Token)
- Check that Okta users have email addresses configured in their profiles
Okta Redirect URI Restrictions
Issue: "Invalid redirect URI" error.
Solution: Okta requires exact URI matches (no wildcards):
- In Okta application settings, check "Sign-in redirect URIs"
- URIs must be exact matches - no wildcard patterns allowed
- Add each environment's callback URL separately
Advanced Configuration
Service Account Authentication
Okta supports Client Credentials flow for service-to-service authentication.
-
Create a Machine-to-Machine application:
- In Okta, create a new app integration
- Choose API Services application type
- Note the Client ID and Client Secret
-
Configure in REST API:
# In .env file SERVICE_ACCOUNT_OIDC_ENABLE=true JWKS_URI=https://dev-12345.okta.com/oauth2/default/v1/keys -
Add to JSON config file:
{ "serviceAuthn": { "oidcClientCredentials": { "enable": true, "clients": [ { "clientId": "0oa3xb9oz3QLY1avc5d7", "serviceRole": "collection-manager" } ] } } }
See sample configuration for reference.
Custom Authorization Server
For production deployments, consider creating a custom authorization server:
- Go to Security → API
- Click Add Authorization Server
- Configure your custom authorization server
- Use the custom server's Issuer URI in your configuration
Benefits:
- Isolated from default server
- Custom claims and scopes
- Better control over token lifetimes
- Separate audience values
Group-Based Access Control
To restrict access based on Okta groups:
- Create groups in Okta (Directory → Groups)
- Assign users to groups
- Configure application assignment:
- Assign groups to your application instead of individual users
- Add group claim to tokens (optional):
- Go to your authorization server → Claims
- Add a
groupsclaim to include group memberships in tokens
- Custom logic in Workbench to read and apply groups (requires code modification)
Multi-Factor Authentication (MFA)
Okta supports comprehensive MFA options:
- Configure Sign-On Policy:
- In your application, go to Sign On tab
- Edit or create a sign-on policy
- Add a rule that requires MFA
- No changes needed in Workbench
- Users will be prompted for MFA during Okta login