okta / okta-cli Goto Github PK

Error: SHA256 mismatch
Expected: 2d5368a3f17ddd95146a5b691775ad0f233d230dbcfe938fbae5e2a33a3b6b22
Actual: 64f29e4c137c7dab93f3311f31040fc456ec96ea5567b943c93282da0fccac21

Tried removing the temp download file and brew untap oktadeveloper/tap and brew reinstall okta.
No luck with any of them

And correctly formatted.

i.e. if the server responds with an error message that says the client is out of date, it likely also includes a long string with URLs, that needs to be readable

I'm not sure what the current behavior is exactly, but from other discussions it appears that the CLI uses the term org URL to refer to an org's Okta domain.

All of our touchpoints should use standard terminology: https://oktawiki.atlassian.net/wiki/spaces/UX/pages/470681125/

✅ Standard: "Okta domain".

• https://{yourOktaDomain}
• Always includes the top-level domain (.com, .eu, etc). An Okta domain is a fully-qualified domain name.
• Does not include the protocol (https). Protocols are part of specific URLs, but are separate from the domain.
• Can be customized, so might be dev-123456.oktapreview.com, company.okta.com, id.example.org, etc.
• "Okta domain" is preferred, but "domain" is acceptable if context ensures the meaning is unambiguous. (Customers may also interact with other types of "domains", such as Active Directory or websites they manage. Be specific.)
• A domain is an attribute of an Okta organization.

✅ Native apps: "scheme".

• {scheme}:/+expo-auth-session
• For native apps that use reverse DNS notation, "scheme" is the Okta domain in reverse order.
• Matches domain customization, so might be com.oktapreview.dev-123456, com.okta.company, org.example.id, etc.

ℹ️ Related: "organization".

• When speaking about concepts and architecture, "organization" and "org" are still used.
• An org is part of Okta's architecture, and represents a real-world organization using Okta.
• An org is persistent, while an org's domain may change over time.

❌ Avoid: "subdomain", "tenant", "org URL", "Okta URL", "org domain".

I am trying 0.8 version build on Windows 10 and get the following error:

PS P:> okta apps create
Application name [Movie-Explorer]:
Type of Application
(The Okta CLI only supports a subset of application types and properties):

1: Web
2: Single Page App
3: Native App (mobile)
4: Service (Machine-to-Machine)
Enter your choice [Web]: 3
java.lang.NullPointerException
at java.net.URI$Parser.parse(URI.java:3104)
at java.net.URI.(URI.java:600)
at java.net.URI.create(URI.java:881)
at com.okta.cli.common.URIs.reverseDomain(URIs.java:27)
at com.okta.cli.commands.apps.AppsCreate.createNativeApp(AppsCreate.java:128)
at com.okta.cli.commands.apps.AppsCreate.runCommand(AppsCreate.java:88)
at com.okta.cli.commands.BaseCommand.call(BaseCommand.java:41)
at com.okta.cli.commands.BaseCommand.call(BaseCommand.java:26)
at picocli.CommandLine.executeUserObject(CommandLine.java:1783)
at picocli.CommandLine.access$900(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2150)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2144)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2108)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:1975)
at picocli.CommandLine.execute(CommandLine.java:1904)
at com.okta.cli.OktaCli.run(OktaCli.java:64)
at com.okta.cli.OktaCli.main(OktaCli.java:54)

PS P:> java -version
openjdk version "11.0.7" 2020-04-14 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.7+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.7+10-LTS, mixed mode)

Is there something I did wrong?

If an organization does NOT have the "/default" issuer the Okta Maven Plugin will fail.
All Developer accounts have this issuer, but it could have been removed.

If you're creating microservices with JHipster, and you convert the JHipster Registry to talk to Okta, its redirect URI (http://localhost:8761/login/oauth2/code/oidc) needs to be registered. Otherwise, you get a 400 when you try to log in to it.

Let's face it, configuring social login and custom domains is kinda painful because there are so many steps. Let's automate them with the CLI!

Maybe Cloudflare has an API we can use to automate our guide? I'm not sure.

Sample commands:

okta add custom-domain <URL>
okta add social-login

Related: what if okta add was a way of adding plugins? Kinda like Oh My Zsh's plugins? It might be cool to have an architecture where developers can extend the CLI for their own needs. I could see it being used by DevOps teams to automate adding/removing apps as part of their CI process.

Windows 10 'okta register' returns an error after entering verification code.
No link to set password.

okta register
An existing Okta Organization (https://dev-6224545.okta.com) was found in C:\Users\User\.okta\okta.yaml
Overwrite configuration file? [Y/n]Y
Configuration file backed: C:\Users\User\.okta\okta.yaml.20201105T1539
First name: KOstya
Last name: Drozdov
Email address: [email protected]
Company: test
Creating new Okta Organization, this may take a minute:
OrgUrl: https://dev-9044671.okta.com
An email has been sent to you with a verification code.

Check your email
Verification code: 919053

An error occurred if you need more detail use the '--verbose' option

null

Today I realized that there's really no reason for .okta.env to have export or use quotes around values. If we remove export and the quotes from the values, running source .okta.env will still set the environment variables.

I'm not sure if this will work on Windows. However, if it does, I think we should switch to it and update old blog posts. With the CLI include, it should be easy.

One of the nice things about moving to a syntax recognized by dotenv is you can copy/paste into your IDE for environment variables and you can also rename it to .env and it'll set the variables for Docker Compose.

When I created a spring-boot app with command okta start, I see message:

Run this application with:
    ./mvnw spring-boot:run

But command for windows to run looks like:

mvnw spring-boot:run

Do we need to change that message?

similarly it doesn't autofill the protocol

If you don't manually include https:// at login in the string it fails

This makes the UX bad, when you copy the URL from the web dashboard it does include the protocol & causes unnecessary friction

Originally posted by @Gilgahex in #77 (comment)

It'd be cool if refresh tokens are added by default to created apps. Especially since we're trying to fix refresh tokens in JHipster. As a follow on, we could add the offline_scope to all sample apps.

The JHipster option with Okta CLI expects you to be using Spring Boot. That won't always be the case since there's also Node.js, Quarkus, .NET, and Micronaut versions of JHipster. Ideally, our Okta CLI is smart enough to detect the framework used and override the appropriate environment variables. In this case, you could look for generator-jhipster-micronaut in the dependencies.

When I tried okta apps create on this repo and selected JHipster, it writes the following to .okta.env:

export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET="ZZZ"
export SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI="https://dev-896939.okta.com/oauth2/default"
export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID="XXX"

Ideally, for Micronaut, it'd write:

MICRONAUT_SECURITY_OAUTH2_CLIENTS_OIDC_OPENID_ISSUER
MICRONAUT_SECURITY_OAUTH2_CLIENTS_OIDC_CLIENT_ID
MICRONAUT_SECURITY_OAUTH2_CLIENTS_OIDC_CLIENT_SECRET

Semantic UI has a dependency on jQuery and I can't seem to get around the error below. I've tried importing jQuery in main.js and in the file where I need to use jQuery (for semantic UI's form validation). Any ideas how to fix it?

TypeError: jquery__WEBPACK_IMPORTED_MODULE_0___default(...)(...).form is not a function"

User see activated and deactivated applications in one list by executing command 'okta apps'
Is it OK? Do we need to improve the output of 'okta apps' command by adding the status(ACTIVE/INACTIVE) for each application or separate them somehow?

odl1808008:testOktaCreate kdrozdov$ okta apps
0oakde4tQo87VFF0s5d5	okta-angular-sample
0oakdsruuyIckZPl45d5	okta-spring-boot-sample
0oamzgs9JKzuZIlWr5d5	okta-aspnet-core3-sample
0oaokytw8Gs5akrRL5d5	okta-vue-sample
0oaprkmwDga7GJJjG5d5	erere
0oapru34tjQw5RlRu5d5	ghghg
0oapryy179GK8bAgr5d5	testse
0oaps44vmPI5eaQiR5d5	rerertdgfd
0oaps600Nt3MdUyPu5d5	trtrt
0oapsc9z0ArO2n0oI5d5	tete
0oapsei46ekXWYcyp5d5	ooo
0oapskquFvW5Jg2Gu5d5	tetete

Steps to reproduce:

1. Create Angular + Okta, using okta start command
   Run command : okta apps create

Use application name of existing application - okta-angular-sample
Change application type and URI's

Result:

HTTP 400, Okta E0000001 (Api validation failed: label - label: An active OpenID Connect Client instance with the label "okta-angular-sample " already exists.), ErrorId oaePTQoIXOWSI29R3BekDk7yw

JHipster uses Spring Boot, but not the Okta Spring Boot starter. Nevertheless, it'd be cool if we could configure a JHipster app with this plugin.

Here's what's required:

• Create ROLE_ADMIN and ROLE_USER groups if they don't exist
• Create a roles claim to include the groups
• Create a new Web app, set the redirect URI to end in /oidc rather than /okta, and set a logout redirect URI to http://localhost:8080

More details at https://www.jhipster.tech/security/#oauth2.

Running apps create in an empty directory and creating a Spring Boot application will create a src/main/resources/application.properties while this IS expected. If there is no pom.xml, build.gradle, build.gradle.kts, in that directory it seems odd.

Steps to reproduce:

I created a new Okta account via okta-cli.
Then I run command okta apps create:

okta apps create
Application name [Downloads]: test-app
Type of Application
(The Okta CLI only supports a subset of application types and properties):
> 1: Web
> 2: Single Page App
> 3: Native App (mobile)
> 4: Service (Machine-to-Machine)
Enter your choice [Web]: 1
Type of Application
> 1: Okta Spring Boot Starter
> 2: Spring Boot
> 3: JHipster
> 4: Other
Enter your choice [Other]: 1
Redirect URI
Common defaults:
 Spring Security - http://localhost:8080/login/oauth2/code/okta
 JHipster - http://localhost:8080/login/oauth2/code/oidc
Enter your Redirect URI [http://localhost:8080/login/oauth2/code/okta]: 
Enter your Post Logout Redirect URI [http://localhost:8080/]: 
Configuring a new OIDC Application, almost done:
Created OIDC application, client-id: 0oanrcmrnULlncLNc5d5

Okta application configuration has been written to: /home/kostya/Downloads/src/main/resources/application.properties

Then I found a new application in Developer console, but also in my current directory 'src' folder was created.
Do we need extra description in readme, how okta apps create should work?

OS: Linux 5.4.0-77-generic #86~18.04.1-Ubuntu

In the "install" function at line 73:

  # check if okta is on the path
  LOCATION=$(command -v okta)

This fails (and the script exits) because the script has set exit on error at line 18:
set -e

To fix this, just do this around setting the "LOCATION" var:

  set +e
  # check if okta is on the path
  LOCATION=$(command -v okta)
  set -e

or use "try" as done in the previous code block.

First name/Last name validation is missing for command command register

Is it a good idea to add some validation for First and Last name during registration?
It was possible for me to create user first/last name using two or more words and special characters.

I whipped one up recently.

https://github.com/oktadeveloper/okta-blog/blob/main/_source/_assets/img/cli/okta-cli.png

Should support:

• start spa
• start web

Should collection login redirect uri (with default specified) as well as logout redirect uri (with default specified)

Similar functionality to register - should also collect name, email, password, etc.

BUT, in addition to allocating the okta org and API token, will also create specified application type and return client_id (and client_secret for web app)

Curious if you're interested at adding those 2 features

List all applications

1. List first 20 or 50 or 100 applications (we can try to figure out what's best heuristic number together.) Or maybe the number can be parameter and default 20 and max is 1000.
2. Probably don't need to consider pagination now.

Create sample application

Kind of similar to create real app, it'd be nice to allow create sample apps.

e.g.
okta create-sample --app_id=xxxxx
> 1: React
> 2: Angular
> 3: Vue

The option varies depends what kind of application (dictated by the app_id)

What it does is

• check out our sample repo gitHub.com/okta/samples-* to a specific folder, e.g. ~/okta-samples
• create env file
• start the sample app (optional as parameter like --start cause I'm not sure if we can just start native sample from cli.)

When I copied org url from Okta dev console I accidentally copied an extra space character in front of the URL. Running Okta login didn't fail but running any command resulted in Illegal character in scheme name error.

Hello Here

First of all, thanks for providing flatpak image for the Linux users

It looks there are probably too many unnecessary dependencies:

 flatpak install com.okta.developer.CLI
Looking for matches…

Found similar ref(s) for ‘com.okta.developer.CLI’ in remote ‘flathub’ (system).
Use this remote? [Y/n]: Required runtime for com.okta.developer.CLI/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/19.08) found in remote flathub
Do you want to install it? [Y/n]: y

com.okta.developer.CLI permissions:
    network   file access [1]

    [1] host


        ID                                              Branch            Op           Remote            Download
 1. [✓] org.freedesktop.Platform.GL.default             19.08             i            flathub            88.6 MB / 89.1 MB
 2. [✓] org.freedesktop.Platform.Locale                 19.08             i            flathub            17.6 kB / 318.3 MB
 3. [✓] org.freedesktop.Platform.VAAPI.Intel            19.08             i            flathub             8.6 MB / 8.7 MB
 4. [✓] org.freedesktop.Platform.openh264               2.0               i            flathub           266.5 kB / 1.5 MB
 5. [✓] org.freedesktop.Platform                        19.08             i            flathub           193.9 MB / 238.5 MB
 6. [✓] com.okta.developer.CLI                          stable            i            flathub            16.5 MB / 16.5 MB

For example, does Okta CLI actually require VAAPIand openh264 (both for the video encoding). Platform.GL does look necessary for the CLI tool either

Current OS: Ubuntu 20.10
Flatpak version: 1.8.2-1(from the repo)
Okta CLI version: 0.7.1-1f9781e

Publish to Maven Central so I can show it off!

I thought I had to type some form of "Yes". It took me a while to realize it was 1 or 2. 😅

okta register
An existing Okta Organization (https://dev-896939.okta.com) was found in /Users/mraible/.okta/okta.yaml
Overwrite configuration file?
> 1: Yes
> 2: No
Enter your choice [Yes]: y

Invalid choice, try again

Overwrite configuration file?
> 1: Yes
> 2: No
Enter your choice [Yes]: Yes

Invalid choice, try again

Overwrite configuration file?
> 1: Yes
> 2: No
Enter your choice [Yes]: yes

Invalid choice, try again

Overwrite configuration file?
> 1: Yes
> 2: No
Enter your choice [Yes]: Y

Invalid choice, try again

Overwrite configuration file?

Related: If I use [URL1,URL2] for redirect URIs, it fails.

➜  ionic-social git:(master) okta apps create
Application name [ionic-social]: Ionic Social
Type of Application
(The Okta CLI only supports a subset of application types and properties):
> 1: Web
> 2: Single Page App
> 3: Native App (mobile)
> 4: Service (Machine-to-Machine)
Enter your choice [Web]: 3
Redirect URI
Common defaults:
 Reverse Domain name - com.example:/callback
Enter your Redirect URI [com.okta.dev-317297:/callback]: [com.okta.dev-317297:/callback,http://localhost:8100]
Configuring a new OIDC Application, almost done:
\

An error occurred if you need more detail use the '--verbose' option

HTTP 400, Okta E0000001 (Api validation failed: redirect_uris - redirect_uris: ''redirect_uris'' must be an array of absolute URIs.), ErrorId oaenTDlC5_mQCaQhjgbe8JTpg

Using URL1,URL2 works.

Finally, how do I add/edit logout redirect URIs? It doesn't seem to be an option.

Ref: https://devforum.okta.com/t/okta-cli-fails-to-create-app/18053

The Okta CLI should use a specific search parameter: profile.name eq "everyone" instead of q=everyone

register command line param should collect name, email and password

• backend API should allocate Okta org and API token
• it should call the enroll and activate factor API for email factor (resulting in an email being sent to user)
• cli should wait for user to enter the OTP code emailed to them
• only after correct otp code is entered, cli should return with API token set
• API will need to save API token to datastore, since it's an async process. API token should be deleted when process is complete. API token should auto-expire if too much time passes (maybe redis?). Should also use Amazon keystore to encrypt API token at rest. Steal code from heroku addon

I am running OpenJDK 11 on Mac OS 10.15.7. When I run okta start and select any number to download it fails with a PKIX error. I would really like to use the tool, but I can't get off first base. What URL is it trying to access?

com.okta.commons.http.HttpException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.okta.commons.http.httpclient.HttpClientRequestExecutor.executeRequest(HttpClientRequestExecutor.java:191)
at com.okta.commons.http.RetryRequestExecutor.doExecuteRequest(RetryRequestExecutor.java:147)
at com.okta.commons.http.RetryRequestExecutor.executeRequest(RetryRequestExecutor.java:120)
at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:443)
at com.okta.sdk.impl.ds.DefaultDataStore.lambda$getResourceData$1(DefaultDataStore.java:196)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47)
at com.okta.sdk.impl.ds.cache.WriteCacheFilter.filter(WriteCacheFilter.java:34)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52)
at com.okta.sdk.impl.ds.cache.ReadCacheFilter.filter(ReadCacheFilter.java:42)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52)
at com.okta.sdk.impl.ds.DefaultDataStore.getResourceData(DefaultDataStore.java:208)
at com.okta.sdk.impl.ds.DefaultDataStore.getResource(DefaultDataStore.java:177)
at com.okta.sdk.impl.ds.DefaultRequestBuilder.get(DefaultRequestBuilder.java:90)
at com.okta.cli.common.service.DefaultAuthorizationServerService.authorizationServersMap(DefaultAuthorizationServerService.java:33)
at com.okta.cli.commands.apps.CommonAppsPrompts.getIssuer(CommonAppsPrompts.java:36)
at com.okta.cli.commands.Start.runCommand(Start.java:122)
at com.okta.cli.commands.BaseCommand.call(BaseCommand.java:41)
at com.okta.cli.commands.BaseCommand.call(BaseCommand.java:26)
at picocli.CommandLine.executeUserObject(CommandLine.java:1783)
at picocli.CommandLine.access$900(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2150)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2144)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2108)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:1975)
at picocli.CommandLine.execute(CommandLine.java:1904)
at com.okta.cli.OktaCli.run(OktaCli.java:64)
at com.okta.cli.OktaCli.main(OktaCli.java:54)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1409)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1315)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.okta.commons.http.httpclient.HttpClientRequestExecutor.executeRequest(HttpClientRequestExecutor.java:186)
... 26 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:264)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 51 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 57 more

If I use this plugin in a Micronaut app (created using instructions in this blog post), it adds the Okta Spring Boot starter and properties to application.properties.

I think it'd be best if this plugin had some logic to confirm it's a Spring Boot app before adding dependencies and properties.

Hello!

I'm not sure was intentional but okta apps create generates effectively sh-like file.
.env is key-value file format is very popular and has support pretty much in any language and docker

Expected behaviour

.env file is produced with format like:

KEY=VALUE

Current behaviour

.okta.env has format like:

export KEY=VALUE

Workarond

The generated file can be converted to .env by stipping export bit with simple command:

sed -i 's/^export //' .okta.env

Okta CLI version: 0.7.1-1f9781e

The winget is bundled with Windows 11 and modern versions of Windows 10 by default as the App Installer. It would be nice to see okta-cli also in the winget repository at https://github.com/microsoft/winget-pkgs

I need to configure an existing application to use Okta?
Is there any opportunity to do so via CLI tool?

Currently, when you create a Spring Boot App with the Okta CLI (using Spring Security or the Okta Spring Boot Starter), it adds all your configuration to src/main/resources/application.properties. This isn't great because people often have non-sensitive configuration information in this file and they'll likely want to check it in.

I think it's better to generate application.properties in the root directory. This will file will still be read when you start the app, and it's unlikely people will check it in by mistake.

The JHipster Quarkus blueprint has now an Okta support.
https://github.com/jhipster/generator-jhipster-quarkus/releases/tag/v0.2.0

It would be great to propose the same level of integration as Spring Jhipster

The objective is to provide a first class support for Quarkus application.

If the Okta Spring Boot starter isn't in pom.xml or build.gradle, add it. If it's difficult, print instructions so the user can copy/paste.

We use the OIDC debugger in a lot of tutorials and often enable implicit flow to make things faster.

What if we could get an access token from the CLI?!

okta token --app=XXX

Equally as good: generate one from the dashboard.

I noticed that most of the install commands in the README don't require a version. However, the Chocolately example does use a version:

choco install okta --version=0.7.0

Is this necessary? If so, we might want to automate updating the README as part of the release process.

OktaDev Schematics supports quite a few frameworks if apps are created with said framework's CLI.

• Angular
• React
• Vue
• Ionic
• React Native
• Express

It even detects if the app is using TypeScript and configures accordingly. I think it'd be cool if the Okta CLI could take advantage of Schematics and use them to configure an app like it does for Spring Boot.

The CLI would likely need to run a few commands:

npm install -g @angular-devkit/schematics-cli
npm i -D @oktadev/schematics
schematics @oktadev/schematics:add-auth --issuer=$issuer --clientId=$clientId

You could also leverage npx, but you'll still need to install @oktadev/schematics first.

npm i -D @oktadev/schematics
npx @angular-devkit/schematics-cli @oktadev/schematics:add-auth --issuer=$issuer --clientId=$clientId

Ideally, the CLI would detect Angular and use port 4200, React on 3000, and Vue on 8080.

1. How are CLI credentials managed?
2. Are CLI credentials\tokens persisted on the local machine where the CLI is installed after the login command?
3. Are any part of OAuth credentials rendered by any CLI command?
4. What is the full sample output from okta apps config with the --verbose option?

I love how the Heroku CLI allows you to use heroku config:get to read a value, heroku config:set to set a value, and heroku config:edit if you want to edit all values. It'd be really sweet if we could update all the settings of an OIDC app (particularly redirect URIs) from the CLI.

> okta login
Okta Org already configured: https://dev-xxxxxx.okta.com

And I don't see a logout command.

If an inactive Okta Application already exists and the Okta CLI creates an app with the same name (by default the directory name).
okta start (and likely okta apps create) will generate a configuration for the deactivated app.

Running the app, and attempting to login (via an OAuth redirect) will result in Okta showing a 400 error with no indication of what happened (on purpose, to prevent leaking data).

The solution may be to either warn the user. Possibly writing the config but then exiting with a non-zero exit status (or both).

I was running an app today that kept giving me a 400 error. Using the CLI, I ran okta apps and made sure I had the correct client ID. Once I confirmed this was correct, I was quite puzzled. Then, I logged into the Okta Admin Console and discovered the app wasn't listed. I checked my Okta org URL because I was super confused on why it wouldn't be there. Then, I realized it was disabled. Once I enabled it again, everything worked. I imagine other developers might run into this issue.

Just wanted to point out the second step for installing via Flatpak requires the flathub remote name before the package name.

Is it ok if I submit a PR?

From this:
flatpak install com.okta.developer.CLI

To this:
flatpak install flathub com.okta.developer.CLI

Building a Native Image is a time consuming operation. The current setup has it active in the main lifecycle which means native executables are generated every single time mvn package or mvn verify are issued. It would be better to move native image configuration to its own profile.

WARNING: This move likely affects release configuration.

I added Micronaut, Quarkus, and Helidon samples to https://github.com/okta-samples tonight. Now, when I run okta start, I get the following output:

> 1: Spring Boot + Okta
> 2: Vue + Okta
> 3: ASP.NET Core MVC + Okta
> 4: Angular + Okta
> 5: React Native + Okta
> 6: React + Okta
> 7: Okta Quarkus Sample
> 8: Android Java + Okta
> 9: Python Flask + Okta
> 10: Node.js Express + Okta
> 11: Golang Gin + Okta
> 12: Golang Gin API + Okta
> 13: Okta Micronaut Sample
> 14: Okta Helidon Sample

Is it possible to change the titles of the samples I added? It might be better to have "Quarkus + Okta" rather than "Okta Quarkus Sample".

If it's not possible to override the names, how are the titles determined? There's a lot of "Okta" that looks repetitive with the large list. It'd be cool if you could type and it'd filter in real-time. Or sort alphabetically.

Also, if OIDC login and API access can be combined into one, I think we should do that. Most of the Java examples have both.