> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getcollate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta SSO (Docker) | Collate Deployment Guide

> Configure Okta Authorization Code Flow to handle secure user login through backend token validation and maintain session integrity in web platforms.

# Auth Code Flow

### Step 1: Configuring the App

* Once you are in the **Create a new app integration** page, select **OIDC - OpenID Connect**.
* Next, select the **Application type -> Web Application**.
* Once selected, click **Next**.

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/okta-auth-code-1.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=e86f2814fdcb466c99d211568a25e4d5" alt="configuring-the-app" width="1492" height="1284" data-path="public/images/deployment/security/okta/okta-auth-code-1.png" />

* From the **General Settings** page,
  * Enter an **App integration name**
  * Select the following in **Grant type**:
    * **Authorization Code**
    * **Refresh Token** - For the refresh token behavior, it is recommended to select the option to 'Rotate token after every use'.
    * **Implicit (hybrid)** - Select the options to allow ID Token and Access Token with implicit grant type.
  * Enter the **Sign-in redirect URIs**
    * [http://localhost:8585/callback](http://localhost:8585/callback)
    * [http://localhost:8585/silent-callback](http://localhost:8585/silent-callback)
  * Enter the **Sign-out redirect URIs**
  * Enter the **Base URIs**
  * Select the required option for **Controlled access**
* Click **Save**.

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/okta-auth-code-2.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=298ce6993c5c0725fc4727e99abc7e77" alt="general-settings-click-save" width="966" height="1784" data-path="public/images/deployment/security/okta/okta-auth-code-2.png" />

* The app is now configured.

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/okta-auth-code-3.1.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=6df2979042e9645298b6b0ec7f3b2695" alt="app-is-configured" width="1118" height="1978" data-path="public/images/deployment/security/okta/okta-auth-code-3.1.png" />

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/okta-auth-code-3.2.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=cf4cadd975ad83932ae45cf73fa1d4f2" alt="app-is-configured" width="1112" height="1972" data-path="public/images/deployment/security/okta/okta-auth-code-3.2.png" />

### Step 2: Add Authorization Server to get the Issuer URL

#### New Authorization Server

It is recommended to create a separate authorization server for different applications. The authorization server needs an endpoint, which'll be the Issuer URL.

* Click on **Security -> API** in the left navigation panel.

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/click-security-api.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=60c3865c524b7cea7ba22990a517e987" alt="click-security-api" width="1052" height="647" data-path="public/images/deployment/security/okta/click-security-api.png" />

* From the **Authorization Servers** tab, click on **Add Authorization Server** button.

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/okta/click-add-authorization-server.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=c49fd9d0232fe387af06d9e3d11bc2f5" alt="click-add-authorization-server" width="2093" height="439" data-path="public/images/deployment/security/okta/click-add-authorization-server.png" />

* Enter a Name and Description.
* While creating the authorization server, an **Audience** must be provided for the server. The Audience is the **Client ID** of the single page application that was created. Refer to the application configuration section above to locate the Client ID.
* **Save** the changes.

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/okta/add-auth-server-save-changes.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=4cc345c72609e8fa1f4b6f7a214663b4" alt="add-auth-server-save-changes" width="1421" height="679" data-path="public/images/deployment/security/okta/add-auth-server-save-changes.png" />

This will generate the Issuer URL.

#### Default Authorization Server (not recommended )

It is recommended to create a separate authorization server for different applications. The authorization server needs an endpoint, which'll be the Issuer URL.

* Click on **Security -> API** in the left navigation panel.

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/click-security-api.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=60c3865c524b7cea7ba22990a517e987" alt="click-security-api" width="1052" height="647" data-path="public/images/deployment/security/okta/click-security-api.png" />

* From the **Authorization Servers** tab, click on **default** server.

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/default-server.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=6a04f9cc250009dd67cb88bddd995176" alt="default-server" width="2240" height="764" data-path="public/images/deployment/security/okta/default-server.png" />

### Step 3: Change the Issuer URL from Dynamic to Okta URL

Once the Authorization Server has been added, navigate to Security >> API >> Authorization Servers and click on the authorization server created in the previous step.

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/okta/click-auth-server-from-prev-step.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=749db1fa8984a7fc0d01ded54c8e232a" alt="click-auth-server-from-prev-step" width="2833" height="1525" data-path="public/images/deployment/security/okta/click-auth-server-from-prev-step.png" />

The Issuer URL shows up as Dynamic by default. Change the Issuer URL to Okta URL and save the changes.

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/okta/change-issuer-url.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=3a381c8abc13b7aac21ee51ca2de36e3" alt="change-issuer-url" width="1214" height="1236" data-path="public/images/deployment/security/okta/change-issuer-url.png" />

### Step 4: Create a Default Scope

* To create a default scope from **Security -> API**, click on the required **Authorization Server**.

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/click-req-auth-server.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=7610af262e8eae8f26d10cae4303d9d0" alt="click-req-auth-server" width="1363" height="572" data-path="public/images/deployment/security/okta/click-req-auth-server.png" />

* In the resulting page, click on the **Scopes** tab
* Click on **Add Scope**

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/okta/add-scope.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=896cebf8d5ba22614efcce0b147147eb" alt="add-scope" width="1365" height="526" data-path="public/images/deployment/security/okta/add-scope.png" />

* Set as a **Default Scope**.

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/set-default-scope.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=e5e27cae3e3dfd18ef0fe52355475c0c" alt="set-default-scope" width="1412" height="1308" data-path="public/images/deployment/security/okta/set-default-scope.png" />

### Step 5: Add New Access Policy and Rule

* From **Security -> API**, click on the required **Authorization Server**
* Navigate to the **Access Policies Tab**
* Click on **Add New Access Policy**

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/okta/add-new-access-policy.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=c20cf9ecead26a2319b845a7561b204f" alt="add-new-access-policy" width="1368" height="574" data-path="public/images/deployment/security/okta/add-new-access-policy.png" />

* To create a policy, add a Name and Description.
* Assign the policy to the required clients.

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/okta/assign-policy.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=0aff00243e8ad8428d258485ed00ab18" width="1312" height="743" data-path="public/images/deployment/security/okta/assign-policy.png" />

* Add a new **Rule** inside the policy as required. Rules can be created with just a few grant type details, such as Client Credentials, Authorization Code, Device Authorization, and Token Exchange.
* Click on **Create Rule** to save the changes.

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/okta/add-rule.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=05e7e0d0abea7823a7a1ef739aca834e" alt="add-rule" width="1400" height="2016" data-path="public/images/deployment/security/okta/add-rule.png" />

### Step 6: Where to Find the Credentials

* Once the app is configured, the **Client ID** can be used.
* You can also go to **Application -> Application** as in step 2.
* You should be able to see your application in the list.

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/see-your-application.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=391673cb6684ba9363c33d34cc41d5c0" alt="see-your-application" width="1496" height="659" data-path="public/images/deployment/security/okta/see-your-application.png" />

* Click on your application.
* You will find your **Client ID** and **Okta domain**.
* The **Client authentication** is enabled by default.
* Click the **Edit** button in the **General Settings** section, then deselect the **User consent** option and save the changes.

<img src="https://mintcdn.com/collatedocs/ikJXao7nE8Si2b_F/public/images/deployment/security/okta/deselect-user-consent.png?fit=max&auto=format&n=ikJXao7nE8Si2b_F&q=85&s=98f8b7d7d8cd3d4f948fac550d78af9f" alt="deselect-user-consent" width="1437" height="3827" data-path="public/images/deployment/security/okta/deselect-user-consent.png" />

* Click on the **Sign On** tab from the top navigation bar.
* Click on Edit for **OpenID Connect ID Token**.
* For **Issuer**, change from the Dynamic (based on request domain) option to the **Okta URL** option.
* The **Audience** is the same as the Client ID.

<img src="https://mintcdn.com/collatedocs/-DMyLKbnTY6RpJyT/public/images/deployment/security/okta/click-edit-token.png?fit=max&auto=format&n=-DMyLKbnTY6RpJyT&q=85&s=6d8ea8ac7e5d9307f3942f09db1b3414" alt="click-edit-token" width="2000" height="2932" data-path="public/images/deployment/security/okta/click-edit-token.png" />
