openbao · hixichen · Sep 27, 2025 · Sep 27, 2025 · Sep 27, 2025 · Sep 27, 2025
@@ -20,6 +20,7 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 * Add caching of STS-exchanged access.
 * Add dependabot configuration and update dependencies to the latest
   versions.
+* Added Okta provider support with private key JWT authentication
 
 ## [3.1.1] - 2023-02-02
 

@@ -200,6 +200,41 @@ token_url_params    map[audience:https://dev-example.us.auth0.com/api/v2/]
 type                Bearer
 ```
 
+
+#### Client credentials with Private Key JWT Authentication
+
+Store private key in a file (e.g., private_key.pem), then configure Okta server with private key
+```
+export OKTA_PRIVATE_KEY=$(cat private_key.pem)
+
+$ vault write oauth2/servers/okta-example-jwt \
+    provider=okta \
+    provider_options=domain=dev-123456.okta.com \
+    provider_options=private_key="$OKTA_PRIVATE_KEY" \
+    client_id=0oa1234567890abcdef
+Success! Data written to: oauth2/servers/okta-example-jwt
+```
+
+Configure credentials
+```
+$ vault write oauth2/self/my-okta-jwt-auth \
+    server=okta-example-jwt \
+    grant_type=client_credentials \
+    scopes=okta.groups.read
+Success! Data written to: oauth2/self/my-okta-jwt-auth
+```
+
+```
+$ vault read oauth2/self/my-okta-jwt-auth
+Key             Value
+---             -----
+access_token    eyJraWQiOixxxx
+expire_time     2024-11-05T21:41:13.392595-08:00
+scopes          [okta.groups.read]
+server          okta-example-jwt
+type            Bearer
+```
+
 ## Tips
 
 For some operations, you may find that you need to provide a map of data for a
@@ -590,6 +625,54 @@ This provider implements the OpenID Connect protocol version 1.0.
 
 [Documentation](https://api.slack.com/docs/oauth)
 
+### Okta (`okta`)
+
+[Documentation](https://developer.okta.com/docs/reference/api/oidc/)
+
+This provider supports Okta's OAuth 2.0 implementation with both client secret and private key JWT authentication methods.
+
+#### Configuration options
+
+| Name | Description | Default | Required |
+|------|-------------|---------|----------|
+| `domain` | The Okta domain (e.g., `dev-123456.okta.com`) | None | Yes |
+| `private_key` | RSA private key in PKCS#8 PEM format for Private Key JWT authentication. If provided, this method will be used instead of client secret. | None | No |
+| `scheme` | The URL scheme to use for Okta endpoints | `https` | No |
+
+#### Examples
+
+Store private key in a file (e.g., private_key.pem), then configure Okta server with private key
+```
+export OKTA_PRIVATE_KEY=$(cat private_key.pem)
+
+$ vault write oauth2/servers/okta-example-jwt \
+    provider=okta \
+    provider_options=domain=dev-123456.okta.com \
+    provider_options=private_key="$OKTA_PRIVATE_KEY" \
+    client_id=0oa1234567890abcdef
+Success! Data written to: oauth2/servers/okta-example-jwt
+```
+
+Configure credentials
+```
+$ vault write oauth2/self/my-okta-jwt-auth \
+    server=okta-example-jwt \
+    grant_type=client_credentials \
+    scopes=okta.groups.read
+Success! Data written to: oauth2/self/my-okta-jwt-auth
+```
+
+```
+$ vault read oauth2/self/my-okta-jwt-auth
+Key             Value
+---             -----
+access_token    eyJraWQiOixxxx
+expire_time     2024-11-05T21:41:13.392595-08:00
+scopes          [okta.groups.read]
+server          okta-example-jwt
+type            Bearer
+```
+
 ### Custom (`custom`)
 
 This provider allows you to specify the required endpoints for negotiating an

@@ -80,6 +80,7 @@ require (
 	github.com/getsentry/raven-go v0.2.0 // indirect
 	github.com/ghostiam/protogetter v0.3.9 // indirect
 	github.com/go-critic/go-critic v0.12.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/go-toolsmith/astcast v1.1.0 // indirect

@@ -245,6 +245,8 @@ github.com/go-critic/go-critic v0.12.0/go.mod h1:DpE0P6OVc6JzVYzmM5gq5jMU31zLr4a
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
+github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI=
 github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@@ -376,6 +378,7 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -1022,6 +1025,7 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
 golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1232,6 +1236,7 @@ golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
 golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1242,6 +1247,7 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
 golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1257,6 +1263,7 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
 golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=