Enable OAuth authentication method for Okta

In addition to API tokens, support the auth using an OAuth 2.0 service app credentials.
3rd-party-integrations · Apr 21, 2022 · 4c57c64 · 4c57c64
1 parent effc1e4
commit 4c57c64
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 7 deletions.
diff --git a/.env.example.okta b/.env.example.okta
@@ -30,12 +30,28 @@ USER_SYNC_ATTRIBUTE=username
 ###################
 ## Your organizations Okta URL
 OKTA_ORG_URL=https://example.okta.com
-## The bot's access token
-OKTA_ACCESS_TOKEN=asdfghkjliptojkjsj00294759
 ## The attribute which corresponds to the GitHub Username
 ## NOTE: This cannot be an email address
 OKTA_USERNAME_ATTRIBUTE=github_username
 
+###############################
+## Okta token authentication ##
+###############################
+## The bot's access token
+OKTA_ACCESS_TOKEN=asdfghkjliptojkjsj00294759
+
+###############################
+## Okta OAuth authentication ##
+###############################
+## Auth method switch
+OKTA_AUTH_METHOD=oauth
+## Okta OIDC app client ID
+OKTA_CLIENT_ID=abcdefghijkl
+## Okta OIDC auth scopes
+OKTA_SCOPES=okta.users.read
+## Okta OIDC app private key (JWK format)
+OKTA_PRIVATE_KEY='{"kty": "RSA", ...}'
+
 #########################
 ## Additional settings ##
 #########################

diff --git a/README.md b/README.md
@@ -168,8 +168,16 @@ AZURE_USER_IS_UPN=true
 ### Sample `.env` for Okta
 ```env
 OKTA_ORG_URL=https://example.okta.com
-OKTA_ACCESS_TOKEN=asdfghkjliptojkjsj00294759
 OKTA_USERNAME_ATTRIBUTE=github_username
+
+# token login
+OKTA_ACCESS_TOKEN=asdfghkjliptojkjsj00294759
+
+# OAuth login
+OKTA_AUTH_METHOD=oauth
+OKTA_CLIENT_ID=abcdefghijkl
+OKTA_SCOPES=okta.users.read
+OKTA_PRIVATE_KEY='{"kty": "RSA", ...}'
 ```
 
 ### Sample `.env` for OneLogin

diff --git a/githubapp/okta.py b/githubapp/okta.py
@@ -10,10 +10,15 @@
 class Okta:
     def __init__(self):
         self.USERNAME_ATTRIBUTE = os.environ.get("OKTA_USERNAME_ATTRIBUTE", "login")
-        config = {
-            "orgUrl": os.environ["OKTA_ORG_URL"],
-            "token": os.environ["OKTA_ACCESS_TOKEN"],
-        }
+        auth_method = os.environ.get("OKTA_AUTH_METHOD", "token")
+        config = {"orgUrl": os.environ["OKTA_ORG_URL"]}
+        if auth_method == "oauth":
+            config["authorizationMode"] = "PrivateKey"
+            config["clientId"] = os.environ["OKTA_CLIENT_ID"]
+            config["scopes"] = os.environ["OKTA_SCOPES"]
+            config["privateKey"] = os.environ["OKTA_PRIVATE_KEY"]
+        else:
+            config["token"] = os.environ["OKTA_ACCESS_TOKEN"]
         self.client = OktaClient(config)
 
     def get_group_members(self, group_name=None):