diff --git a/app/app/settings.py b/app/app/settings.py
index 1fa81b2a..a204a563 100644
--- a/app/app/settings.py
+++ b/app/app/settings.py
@@ -178,10 +178,18 @@ if AZUREAD_ADMIN_GROUP_ID:
SOCIAL_AUTH_OKTA_OAUTH2_KEY = env('OAUTH_OKTA_OAUTH2_KEY', None)
SOCIAL_AUTH_OKTA_OAUTH2_SECRET = env('OAUTH_OKTA_OAUTH2_SECRET', None)
SOCIAL_AUTH_OKTA_OAUTH2_API_URL = env('OAUTH_OKTA_OAUTH2_API_URL', None)
+OKTA_OAUTH2_ADMIN_GROUP_NAME = env('OKTA_OAUTH2_ADMIN_GROUP_NAME', None)
+
+if SOCIAL_AUTH_OKTA_OAUTH2_API_URL:
+ SOCIAL_AUTH_OKTA_OAUTH2_SCOPE = ["groups"]
SOCIAL_AUTH_OKTA_OPENIDCONNECT_KEY = env('OAUTH_OKTA_OPENIDCONNECT_KEY', None)
SOCIAL_AUTH_OKTA_OPENIDCONNECT_SECRET = env('OAUTH_OKTA_OPENIDCONNECT_SECRET', None)
SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL = env('OAUTH_OKTA_OPENIDCONNECT_API_URL', None)
+OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME = env('OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME', None)
+
+if SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL:
+ SOCIAL_AUTH_OKTA_OPENIDCONNECT_SCOPE = ["groups"]
SOCIAL_AUTH_PIPELINE = [
'social_core.pipeline.social_auth.social_details',
@@ -195,6 +203,8 @@ SOCIAL_AUTH_PIPELINE = [
'social_core.pipeline.user.user_details',
'server.social_auth.fetch_github_permissions',
'server.social_auth.fetch_azuread_permissions',
+ 'server.social_auth.fetch_okta_oauth2_permissions',
+ 'server.social_auth.fetch_okta_openidconnect_permissions',
]
ROLE_PROJECT_ADMIN = env('ROLE_PROJECT_ADMIN', 'project_admin')
diff --git a/app/server/social_auth.py b/app/server/social_auth.py
index 35adf722..6be612c1 100644
--- a/app/server/social_auth.py
+++ b/app/server/social_auth.py
@@ -2,6 +2,8 @@ import requests
from django.conf import settings
from social_core.backends.azuread_tenant import AzureADTenantOAuth2
from social_core.backends.github import GithubOAuth2
+from social_core.backends.okta import OktaOAuth2
+from social_core.backends.okta_openidconnect import OktaOpenIdConnect
# noinspection PyUnusedLocal
@@ -68,3 +70,49 @@ def fetch_azuread_permissions(strategy, details, user=None, is_new=False, *args,
if user.is_superuser != is_superuser:
user.is_superuser = is_superuser
user.save()
+
+
+# noinspection PyUnusedLocal
+def fetch_okta_oauth2_permissions(strategy, details, user=None, is_new=False, *args, **kwargs):
+ org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OAUTH2_API_URL', '')
+ group_name = getattr(settings, "OKTA_OAUTH2_ADMIN_GROUP_NAME", "")
+ if not user or not isinstance(kwargs['backend'], OktaOAuth2):
+ return
+
+ response = requests.post(
+ url=f"{org_url}/v1/userinfo",
+ headers={
+ 'Authorization': 'Bearer {}'.format(kwargs['response']['access_token']),
+ },
+ )
+ response.raise_for_status()
+ response = response.json()
+
+ is_superuser = group_name in response.get("groups", [])
+
+ if user.is_superuser != is_superuser:
+ user.is_superuser = is_superuser
+ user.save()
+
+
+# noinspection PyUnusedLocal
+def fetch_okta_openidconnect_permissions(strategy, details, user=None, is_new=False, *args, **kwargs):
+ org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL', '')
+ group_name = getattr(settings, "OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME", "")
+ if not user or not isinstance(kwargs['backend'], OktaOpenIdConnect):
+ return
+
+ response = requests.post(
+ url=f"{org_url}/v1/userinfo",
+ headers={
+ 'Authorization': 'Bearer {}'.format(kwargs['response']['access_token']),
+ },
+ )
+ response.raise_for_status()
+ response = response.json()
+
+ is_superuser = group_name in response.get("groups", [])
+
+ if user.is_superuser != is_superuser:
+ user.is_superuser = is_superuser
+ user.save()
diff --git a/app/server/templates/login.html b/app/server/templates/login.html
index 34c9d576..1917ffbe 100644
--- a/app/server/templates/login.html
+++ b/app/server/templates/login.html
@@ -71,8 +71,14 @@
Login with Active Directory
{% endif %}
- {% if (okta_oauth_login or okta_openidconnect_login) %}
-
+ {% if okta_oauth_login %}
+
+
+ Login with Okta
+
+ {% endif %}
+ {% if okta_openidconnect_login %}
+
Login with Okta