✨ feat: Add support for Okta Authentication (#8547)

JamieStivala · web-flow · commit ad57abeaf123 · 2025-07-29T20:48:52.000+08:00
* Add Okta support to auth config and tests

* Added documentation

* Removed deprecated env variables

* Added Okta as SSO Provider

* Removed Okta Test

* Reverted a micro-change which was changed during some testing (back to original)

* Added Okta to SSO providers list
diff --git a/docs/self-hosting/advanced/auth.mdx b/docs/self-hosting/advanced/auth.mdx
@@ -55,6 +55,8 @@ Currently supported identity verification services include:
   <Card href={'/docs/self-hosting/advanced/auth/next-auth/keycloak'} title={'Keycloak'} />
 
   <Card href={'/docs/self-hosting/advanced/auth/next-auth/google'} title={'Google'} />
+
+  <Card href={'/docs/self-hosting/advanced/auth/next-auth/okta'} title={'Okta'} />
 </Cards>
 
 Click on the links to view the corresponding platform's configuration documentation.
@@ -78,6 +80,7 @@ The order corresponds to the display order of the SSO providers.
 | ZITADEL               | `zitadel`               |
 | Keycloak              | `keycloak`              |
 | Google                | `google`                |
+| Okta                  | `okta`                  |
 
 ## Other SSO Providers
 
diff --git a/docs/self-hosting/advanced/auth.zh-CN.mdx b/docs/self-hosting/advanced/auth.zh-CN.mdx
@@ -51,6 +51,8 @@ LobeChat 与 Clerk 做了深度集成，能够为用户提供一个更加安全
   <Card href={'/zh/docs/self-hosting/advanced/auth/next-auth/logto'} title={'Logto'} />
 
   <Card href={'/zh/docs/self-hosting/advanced/auth/next-auth/keycloak'} title={'Keycloak'} />
+
+  <Card href={'/zh/docs/self-hosting/advanced/auth/next-auth/okta'} title={'Okta'} />
 </Cards>
 
 点击即可查看对应平台的配置文档。
@@ -73,6 +75,7 @@ LobeChat 与 Clerk 做了深度集成，能够为用户提供一个更加安全
 | Microsoft Entra ID    | `microsoft-entra-id`    |
 | ZITADEL               | `zitadel`               |
 | Keycloak              | `keycloak`              |
+| Okta                  | `okta`                  |
 
 ## 其他 SSO 提供商
 
diff --git a/docs/self-hosting/advanced/auth/next-auth/okta.mdx b/docs/self-hosting/advanced/auth/next-auth/okta.mdx
@@ -0,0 +1,65 @@
+---
+title: Configure Okta Identity Verification Service for LobeChat
+description: >-
+  Learn how to configure Okta Identity Verification Service for LobeChat for your organization, including creating applications, adding users, and configuring environment variables.
+
+tags:
+  - Okta
+  - Identity Verification
+  - Single Sign-On
+  - Environment Variables
+  - User Management
+  - SSO Integrations
+  - Social Login
+---
+
+# Configure Okta Identity Verification Service
+
+<Steps>
+  ### Create Okta Application
+
+  Register and log in to [Okta][okta-client-page], open the "Applications" subtab in the left navigation bar, and click "Applications" to switch to the application management interface. click "Create App Integration" in the upper left corner to create an application.
+
+  Select "OIDC - OpenID Connect" in Sign-In Method and then select "Web Application" in Application Type.
+
+  Fill in the following settings:
+
+  | Setting Name           | Description                                                                                                  | Sample Information                            |
+  | ---------------------- | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------- |
+  | App Integration Name   | The Application Name your users will see                                                                     | LobeChat Instance                             |
+  | Sign-in redirect URIs  | Okta sends the authentication response and ID token for the user's sign-in request to these URIs             | (http(s)://your-domain/api/auth/callback/okta |
+  | Sign-out redirect URIs | After your application contacts Okta to close the user session, Okta redirects the user to one of these URIs | (http(s)://your-domain                        |
+
+  <Callout type={'important'}>
+    You can fill in or modify all the fields after deployment, but make sure the filled URL is
+    consistent with the deployed URL.
+  </Callout>
+
+  ### Add Users
+
+  Click on the "Assignments" in the top navigation bar to enter the user management interface, where you can create or assign users in your organization to log in to LobeChat.
+
+  ### Configure Environment Variables
+
+  When deploying LobeChat, you need to configure the following environment variables:
+
+  | Environment Variable      | Type     | Description                                                                                                                                                                                         |
+  | ------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+  | `NEXT_AUTH_SECRET`        | Required | Key used to encrypt Auth.js session tokens. You can generate a key using the following command: `openssl rand -base64 32`                                                                           |
+  | `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the single sign-on provider for LoboChat. Use `okta` for Okta.                                                                                                                               |
+  | `AUTH_OKTA_ID`            | Required | Client ID of the Okta application                                                                                                                                                                   |
+  | `AUTH_OKTA_SECRET`        | Required | Client Secret of the Okta application                                                                                                                                                               |
+  | `AUTH_OKTA_ISSUER`        | Required | Domain of the Okta application, `https://example.oktapreview.com`                                                                                                                                   |
+  | `NEXTAUTH_URL`            | Optional | The URL is used to specify the callback address for the execution of OAuth authentication in Auth.js. It needs to be set only when the default address is incorrect. `https://example.com/api/auth` |
+
+  <Callout type={'tip'}>
+    You can refer to the related variable details at [📘Environment Variables](/docs/self-hosting/environment-variable/auth#okta).
+  </Callout>
+</Steps>
+
+<Callout>
+  After successful deployment, users will be able to authenticate and use LobeChat using the users
+  configured in Okta.
+</Callout>
+
+[okta-client-page]: https://login.okta.com
diff --git a/docs/self-hosting/environment-variables/auth.mdx b/docs/self-hosting/environment-variables/auth.mdx
@@ -249,6 +249,29 @@ LobeChat provides a complete authentication service capability when deployed. Th
 - Default: `-`
 - Example: `https://your-instance-abc123.zitadel.cloud`
 
+### Okta
+
+#### `AUTH_OKTA_ID`
+
+- Type: Required
+- Description: Client ID of the Okta application. This can be found under your application settings in the Okta console.
+- Default: `-`
+- Example: `ac12c950f3ce48c8a45a`
+
+#### `AUTH_OKTA_SECRET`
+
+- Type: Required
+- Description: Client Secret of the Okta application. This can be found under your application settings in the Okta console.
+- Default: `-`
+- Example: `ex1HqvSOOkC5INqo42grOSqNvHoD4p84em1yy5QU7v88IZlaWGywFjYkrkpkSopt`
+
+#### `AUTH_OKTA_ISSUER`
+
+- Type: Required
+- Description: Issuer of the Okta application. This is the URL of the Okta instance -- If branding is set up, it can be your custom domain.
+- Default: `-`
+- Example: `https://your-instance.okta.com`
+
 ### Generic OIDC
 
 #### `AUTH_GENERIC_OIDC_ID`
diff --git a/src/libs/next-auth/sso-providers/index.ts b/src/libs/next-auth/sso-providers/index.ts
@@ -4,15 +4,16 @@ import Authentik from './authentik';
 import AzureAD from './azure-ad';
 import Casdoor from './casdoor';
 import CloudflareZeroTrust from './cloudflare-zero-trust';
+import Cognito from './cognito';
 import GenericOIDC from './generic-oidc';
 import Github from './github';
 import Google from './google';
 import Keycloak from './keycloak';
 import Logto from './logto';
 import MicrosoftEntraID from './microsoft-entra-id';
+import Okta from './okta';
 import WeChat from './wechat';
 import Zitadel from './zitadel';
-import Cognito from "./cognito";
 
 export const ssoProviders = [
   Auth0,
@@ -29,5 +30,6 @@ export const ssoProviders = [
   WeChat,
   Keycloak,
   Google,
-  Cognito
+  Cognito,
+  Okta,
 ];
diff --git a/src/libs/next-auth/sso-providers/okta.ts b/src/libs/next-auth/sso-providers/okta.ts
@@ -0,0 +1,26 @@
+import Okta from 'next-auth/providers/okta';
+
+import { CommonProviderConfig } from './sso.config';
+
+const provider = {
+  id: 'okta',
+  provider: Okta({
+    ...CommonProviderConfig,
+    authorization: { params: { scope: 'openid email profile' } },
+    clientId: process.env.AUTH_OKTA_ID,
+    clientSecret: process.env.AUTH_OKTA_SECRET,
+    issuer: process.env.AUTH_OKTA_ISSUER,
+    // Remove End
+    profile(profile) {
+      return {
+        email: profile.email,
+        id: profile.sub,
+        image: profile.picture,
+        name: profile.name ?? profile.preferred_username,
+        providerAccountId: profile.sub,
+      };
+    },
+  }),
+};
+
+export default provider;
