Web icon

Okta SSO with OpenID Connect

Stable version 1.0.4 (Compatible with OutSystems 11)
Uploaded on 01 February 2021 by 
 (0 ratings)

Okta SSO with OpenID Connect

Gives you easy to use actions to generate the login URL and logout URL based on your application and auth server settings in Okta. Gives a function to be used in the authorization callback that Okta redirects you to after authenticating with them that validates your tokens.
Read more

This forge component will allow you to easily implement the authorization code flow into your application.

 If you are not familiar with the authorization code flow I recommend reading through some of the documentation from Okta 

At a high-level, this flow has the following steps:

  • Your application uses the self-hosted Okta sign-in widget or directs the browser to the Okta sign-in page, where the user authenticates.
  • The browser receives an authorization code from your Okta Authorization Server. 
  • The authorization code is passed to your application. In the demo that happens on the Callback page in the Common section of the UI Flows.
  • Your application sends this code to Okta, and Okta returns access and ID tokens, and optionally a refresh token.
  • This component will also perform some additional steps to authenticate the user in OutSystems as well logging the user in via the Users module.
  • There are some settings in the Okta component module to allow auto-provisioning of users if they don't exist in your OutSystems environment as well.
  • Your application can now use these tokens to call the resource server (for example an API) on behalf of the user. 

Details of component actions:

  • To use the Okta hosted sign-in page, use the LoginURL action to construct the URL for the sign-in page and then redirect the user there instead of the hosted sign-in page inside of this demo or your application.
  • You can also use the LogoutURL action to construct the URL to log the user out. You will need to send the ID Token along with that request and to be honest I haven't found a good way to hold onto the tokens inside of the application when you get them yet. If anyone has an idea on that please share and I'll update the demo with that.
  • The AuthorizationCallback action will post the authorization code received from Okta on your callback page to get the tokens.
  • The LogInUser action will authenticate your user in OutSystems using the same username the user authenticated in Okta with. There is an option to auto-provision users if the user doesn't exist yet in your environment.
  • The ValidateToken action gets called automatically inside of the AuthorizationCallback action, but can be used to validate any tokens received by Okta.


*** If you are using the self-hosted sign-in widget and you have the CSP security settings activated you will need to add rules through Service Center or Lifetime for your Okta domain and *.oktacdn.com to allow communication from the browser to your Okta domain and also to let the CSS from Okta through. You can try importing the CSS into your application but I found it to be too troublesome to manage inside of OutSystems.


I recommend setting up some site properties that can be used to pass your Okta application information easily to the actions:

  • ClientID is the Client ID of the application in Okta performing the authentication step
  • ClientSecret is the Client Secret of the application in Okta the authentication step
  • DomainURI is your Okta domain that is hosting your applications. Usually either *.oktapreview.com or *.okta.com 
  • Issuer is the identifier of the Authorization Server that will be issuing the tokens when presented the authorization code after authenticating.
  • RedirectURI is the location the user will be redirected to after performing authentication.
Release notes (1.0.4)

Added demo to show how to use the plug-in which includes the Okta self-hosted sign-in widget that can be reused in Reactive applications pretty easily.

Reviews (0)