## Okta integration

Okta is an identity and access management platform that provides authentication, user management, and authorization services. Integrating Okta with Frontegg allows your application to list users, manage groups, access applications, and read system logs on behalf of your users using OAuth 2.0.

Prerequisites
- An [Okta account](https://www.okta.com/) with admin access to the Okta Admin Console


### Connect Okta

#### Step 1: Open the Okta Admin Console

Sign in to your Okta Admin Console. The URL follows the format `https://{yourOktaDomain}-admin.okta.com/admin/dashboard`. Your Okta domain is visible in the browser address bar — for example, if your URL is `https://acme-admin.okta.com`, your domain is `acme.okta.com`.

![Okta Admin Console dashboard](/assets/okta-1.14b7c81d2863ae1967f5b2f28cd02b918a3a71e3b2e7a6249f82b5d50de6169f.1ce25488.png)

#### Step 2: Open the Applications list

In the left navigation, click **Applications** → **Applications**. The Applications page lists all app integrations registered in your Okta org.

Click **Create App Integration** to start the wizard.

![Okta Applications page with Create App Integration highlighted](/assets/okta-2.405592889b2ace4324ce32e953b9be6467f3b721ff4bf1ad3181154acd7fa7f2.1ce25488.png)

#### Step 3: Select the sign-in method and application type

In the **Create a new app integration** dialog:

1. Under **Sign-in method**, select **OIDC - OpenID Connect**.
2. Under **Application type**, select **Web Application**.


Click **Next**.

![Create a new app integration dialog with OIDC and Web Application selected](/assets/okta-3.e7f5c56108adeab51978f53821611e63df3e58c88ab3b675f541202a7e3f52d6.1ce25488.png)

#### Step 4: Fill in the app integration settings

Complete the **New Web App Integration** form:

- **App integration name** — Enter a descriptive name, for example `Frontegg Integration`.
- **Grant type** — Under **Core grants**, keep **Authorization Code** checked (required). Also check **Refresh Token**.
- **Sign-in redirect URIs** — Replace the default value with the following URI:
  - `https://YOUR_MCP_GATEWAY_URL/integration-callback`
- **Controlled access** — Select **Skip group assignment for now**.


![New Web App Integration form filled in](/assets/okta-4.193132527cf54d8077be0cc7e7b8375ec78296062d35cc8517fd163a19b25bd1.1ce25488.png)

#### Step 5: Review the redirect URIs

Confirm that the Frontegg redirect URI appears in the **Sign-in redirect URIs** section before saving.

![Sign-in redirect URIs section showing the Frontegg callback URL](/assets/okta-5.e1cb772e408fcc5cafb63828b94e13e947d67844b92daa50c517799885f91fa6.1ce25488.png)

Click **Save**.

#### Step 6: View the app details page

After saving, Okta redirects you to the app details page for **Frontegg Integration**. This confirms the app was created successfully.

![Frontegg Integration app details page](/assets/okta-6.2046a77a4fd8b9aa74b9f05d6c1ed72471599a7781d02f104c4d1dbf5183259c.1ce25488.png)

#### Step 7: Copy your credentials

On the **General** tab, scroll to the **Client Credentials** section:

- **Client ID** — Copy the value shown in the Client ID field.
- **Client Secret** — Under **CLIENT SECRETS**, click the copy icon next to the masked secret value to copy it to your clipboard.


Copy your Client Secret now
The Client Secret is masked after creation. Use the copy icon to retrieve it. If you lose it, click **Generate new secret** to create a replacement.

![Client Credentials section showing Client ID and masked Client Secret](/assets/okta-7.e0f1c66a0cb61cb0989e91f5699f1f0aae8c56aaf11ce3fff92990befe615d55.1ce25488.png)

### Configure the Frontegg portal

Once you have obtained your **Client ID** and **Client Secret** from the steps above, configure the integration in the Frontegg portal:

1. Open the **Frontegg portal** and navigate to [ENVIRONMENT] → Integrations → Okta.
2. Enter your **Okta domain** — the hostname of your Okta org. For example, if your admin console URL is `https://acme-admin.okta.com`, your domain is `acme.okta.com`.
3. Enter the **Client ID** and **Client Secret** in the corresponding fields.
4. Select the required **scopes**:


| Scope | Description |
|  --- | --- |
| `openid` | Required for OpenID Connect authentication |
| `profile` | Access user profile information |
| `email` | Access user email address |
| `phone` | Access user phone number |
| `address` | Access user address |
| `offline_access` | Obtain refresh tokens for long-lived access |
| `okta.users.read` | Read user information |
| `okta.users.manage` | Create, update, and deactivate users |
| `okta.groups.read` | Read group information |
| `okta.groups.manage` | Create, update, and delete groups |
| `okta.apps.read` | Read application information |
| `okta.apps.manage` | Manage applications |
| `okta.authorizationServers.read` | Read authorization server information |
| `okta.authorizationServers.manage` | Manage authorization servers |
| `okta.logs.read` | Read system log events |


1. Click **Save**.


Keep your credentials secure
Never share or commit your Client Secret to version control.

### Additional resources

- [Okta OAuth 2.0 and OpenID Connect overview](https://developer.okta.com/docs/concepts/oauth-openid/)
- [Okta API scopes reference](https://developer.okta.com/docs/api/oauth2/)
- [Okta Admin Console](https://developer.okta.com/login/)
- [How to get your Redirect URL](/agen-for-work/connectors/redirect-url)